[jira] Created: (OFBIZ-2415) createOrderAdjustment, updateOrderAdjustment and deleteOrderAdjustment security related error

createOrderAdjustment, updateOrderAdjustment and deleteOrderAdjustment security related error
---------------------------------------------------------------------------------------------

                 Key: OFBIZ-2415
                 URL: https://issues.apache.org/jira/browse/OFBIZ-2415
             Project: OFBiz
          Issue Type: Sub-task
          Components: order
            Reporter: Amit Sharma
             Fix For: Release Branch 9.04, SVN trunk


Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [orderAdjustmentId] passed to secure (https) request-map with uri [createOrderAdjustment, updateOrderAdjustment and deleteOrderAdjustment].

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Amit Sharma updated OFBIZ-2415:
-------------------------------

    Attachment: editorderitems.patch

Here is the patch for this issue.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12705243#action_12705243 ]

Ashish Nagar commented on OFBIZ-2415:
-------------------------------------

Hello Amit,

This is not correct way to solve this issue. I guess you have forgotten *paramString*. You will have to include values of the variables present in the *paramString*, i.e. workEffortId, partyId, roleTypeId and fromDate in the form.
{quote}
<form name="addAdjustmentForm" method="post" action="<@ofbizUrl>createOrderAdjustment?${paramString}</@ofbizUrl>">
{quote}

The following line is deleted unnecessary {quote}<input type="hidden" name="comments" value="Added manually by [${userLogin.userLoginId}]"/>{quote}

Also, I cannot think reason for removing exiting submit button with anchor e.g. {quote}<input class="smallSubmit" type="submit" value="${uiLabelMap.CommonAdd}"/>{quote} with {quote}<a href='javascript:document.addAdjustmentForm.submit()' class='buttontext'>&nbsp;${uiLabelMap.CommonAdd}&nbsp;</a>{quote}

This patch needs improvement. For more reference you can refer to OFBIZ-2260. Please do the needful.

Thanks,
--
Ashish Nagar


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Amit Sharma updated OFBIZ-2415:
-------------------------------

    Attachment: editorderitems.patch

Thanks Ashish Nagar for comments.

It has been changed accordingly, please have a look on it.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12705269#action_12705269 ]

Ashish Nagar commented on OFBIZ-2415:
-------------------------------------

Thanks Amit,

Here are some suggestions,

i) Value must be ${orderId?if_exists} {quote}<input type="hidden" name="orderId" value="${orderId}"/>{quote}.

ii) No need to put *&nbsp;* here, {quote}<a href='javascript:document.deleteOrderAdjustment_${orderAdjustmentId}.submit()' class='buttontext'>&nbsp;${uiLabelMap.CommonDelete}&nbsp;</a>{quote}.

iii) There are also some more links on this page whose parameters should be sent encrypted.

Although, improving for i) and ii), your patch will be complete for this issue (createOrderAdjustment, updateOrderAdjustment and deleteOrderAdjustment), but finalizing the patch for iii) as well, will be highly appreciated :-).

Thanks & Regards,
--
Ashish Nagar

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux reassigned OFBIZ-2415:
--------------------------------------

    Assignee: Jacques Le Roux

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12753451#action_12753451 ]

Jacques Le Roux commented on OFBIZ-2415:
----------------------------------------

Any update ?

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12753456#action_12753456 ]

Amit Sharma commented on OFBIZ-2415:
------------------------------------

Hi Jacques,

Please close this issue because its is fixed at r778653.

Regards,
-Amit Sharma

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-2415.
----------------------------------

    Resolution: Duplicate
      Assignee: Vikas Mayur  (was: Jacques Le Roux)

Duplicate of OFBIZ-2514 (dixit Amit Sharma)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.