[jira] Created: (OFBIZ-3316) Edit/Navigate Global GL Account - Found URL parameter [glAccountId] passed to secure (https) request-map with uri [updateGlAccount]

Edit/Navigate Global GL Account - Found URL parameter [glAccountId] passed to secure (https) request-map with uri [updateGlAccount]
-----------------------------------------------------------------------------------------------------------------------------------

                 Key: OFBIZ-3316
                 URL: https://issues.apache.org/jira/browse/OFBIZ-3316
             Project: OFBiz
          Issue Type: Sub-task
            Reporter: chris snow




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12787801#action_12787801 ]

chris snow commented on OFBIZ-3316:
-----------------------------------

Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [glAccountId] passed to secure (https) request-map with uri [updateGlAccount] with an event that calls service [updateGlAccount]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.

> Edit/Navigate Global GL Account - Found URL parameter [glAccountId] passed to secure (https) request-map with uri [updateGlAccount]
> -----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-3316
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3316
>             Project: OFBiz
>          Issue Type: Sub-task
>            Reporter: chris snow
>


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12855829#action_12855829 ]

Bob Morley commented on OFBIZ-3316:
-----------------------------------

Attempted to reproduce this in trunk; but it appears the only link to updateGlAccount is in GlobalGlAccountsForms.xml -> EditGlAccount which worked correctly.  Checked the 9.04 branch and it appears to be correct as well.

> Edit/Navigate Global GL Account - Found URL parameter [glAccountId] passed to secure (https) request-map with uri [updateGlAccount]
> -----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-3316
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3316
>             Project: OFBiz
>          Issue Type: Sub-task
>            Reporter: chris snow
>


--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

    [ https://issues.apache.org/jira/browse/OFBIZ-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12858321#action_12858321 ]

Jacques Le Roux commented on OFBIZ-3316:
----------------------------------------

I just reproduced with this URL https://demo-trunk.ofbiz.apache.org/accounting/control/updateGlAccount?glAccountClassId=ASSET&accountCode=100000&accountName=ASSETS&glAccountTypeId=COMMISSION_EXPENSE&glResourceTypeId=MONEY&glAccountId=100000&postedBalance=0&productId=GZ-1000&trail=100000|100000

I will have a look...

> Edit/Navigate Global GL Account - Found URL parameter [glAccountId] passed to secure (https) request-map with uri [updateGlAccount]
> -----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-3316
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3316
>             Project: OFBiz
>          Issue Type: Sub-task
>            Reporter: chris snow
>


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ankit Jain updated OFBIZ-3316:
------------------------------

    Attachment: issue_3316.patch

The error can be reproduced as following:

Steps:
1) Go to Accounting > Global GL Settings > Select any value(100000) from the list > in the "Edit GL Account" update the record > now  in the "Navigate Accounts" section click on any node .

Then you will get the error .......

Here is the patch which resolves the issue.......

Thanks HTH  :)




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-3316.
----------------------------------

         Assignee: Jacques Le Roux
    Fix Version/s: Release Branch 09.04
                   Release Branch 10.04
                   SVN trunk
       Resolution: Fixed

Thanks Ankit,

Your patch is in untrk at r948017, R9.04 at r948021, R10.04 at r948019




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3316?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12871111#action_12871111 ]

Ankit Jain commented on OFBIZ-3316:
-----------------------------------

Thanks Jacques :)


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.