[jira] Created: (OFBIZ-3982) Exception in CRUD operations using minilang

Exception in CRUD operations using minilang
-------------------------------------------

                 Key: OFBIZ-3982
                 URL: https://issues.apache.org/jira/browse/OFBIZ-3982
             Project: OFBiz
          Issue Type: Bug
          Components: ALL COMPONENTS
    Affects Versions: Release 09.04
         Environment: LINUX
            Reporter: Shereen Ashraf


I'm trying to use the minilang to delete a record in an entity. I faced the following exception

Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [reviewId] passed to secure (https) request-map with uri [RemovePlanetReview] with an event that calls service [learningRemovePlanetReview]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at http://docs.ofbiz.org/x/r.

Does anyone know what's this? I've done this experiment in  release10.04

this is how I wrote the delete button in the form

<field name="delete">
<hyperlink target="RemovePlanetReview?reviewId=${reviewId}" description="Delete"/></field>

this is the service
 <simple-method method-name="removePlantetReview" short-description="Delete a Planet Review">
     <entity-one entity-name="PlanetReview" value-name="lookedUpValue"/>
     <remove-value value-name="lookedUpValue"/>
</simple-method>

this is the request

<request-map uri="RemovePlanetReview">
  <security auth="true" https="true"/>
   <event type="service" invoke="learningRemovePlanetReview"/>
  <response name="success" type="view" value="ListPlanetReviews"/>
  <response name="error" type="view" value="ListPlanetReviews"/>
</request-map>

would anyone please tell what's going on?
Am I going to face the same trouble in 10.04 ?
Thanks in advance to anyone who can help

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-3982?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-3982.
----------------------------------

    Resolution: Not A Problem
      Assignee: Jacques Le Roux

Shereen,

You should not create a Jira issue for such a problem, or at least rather ask before on user ML, thanks.

As the message clearly explain this occurs for security reason! OFBiz does not allow to pass parameters in an URL which calls a service as you did with
{code}<hyperlink target="RemovePlanetReview?reviewId=${reviewId}" {code}

You should use a parameter, something like

{code}
<hyperlink target="RemovePlanetReview" >
    <parameter param-name="reviewId" value="${reviewId}"/>
</hyperlink>
{code}

In other word never use a GET with parameter but always POST with parameters in HTTP header (I mean this is also true for Template FTL)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918964#action_12918964 ]

Adrian Crum commented on OFBIZ-3982:
------------------------------------

Jacques,

I believe the reason Shereen created this issue is because the error message instructed him/her to do so.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918970#action_12918970 ]

Jacques Le Roux commented on OFBIZ-3982:
----------------------------------------

I understand that you created this issue because it was asked by the message. But please understand that this is only true for OOTB code, not custom code...

BTW it's ok if the service is only reading (the R in CRUD). You can even bypass the security by setting service.http.parameters.require.encrypted to N in url.properties. But as this will be for your all application it 's not recommende though! I'm sure you got it now...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-3982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918971#action_12918971 ]

Jacques Le Roux commented on OFBIZ-3982:
----------------------------------------

Adrian,

Yes, just saw your message after my (complete) explanation, thanks!

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.