[jira] Created: (OFBIZ-4106) deleteCustomerTaxAuthInfo page called from /ecommerce/control/viewprofile

deleteCustomerTaxAuthInfo page called from /ecommerce/control/viewprofile
-------------------------------------------------------------------------

                 Key: OFBIZ-4106
                 URL: https://issues.apache.org/jira/browse/OFBIZ-4106
             Project: OFBiz
          Issue Type: Sub-task
          Components: specialpurpose/ecommerce
    Affects Versions: Release 09.04
         Environment: Linux x64 Debian AMD64
            Reporter: Michał Cukierman


Steps to reproduce:
1) Login to ecommerce app
2) View the profile
3) Add some  entries uder Tax Identification and Exemption
4) Try to delete previously added value

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983279#action_12983279 ]

Jacques Le Roux commented on OFBIZ-4106:
----------------------------------------

Which revision of R9.04 are you using? Because it seems I can't reproduce, could you give more details, an URL would be perfect...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983377#action_12983377 ]

Michał Cukierman commented on OFBIZ-4106:
-----------------------------------------

Step 2: Go to:
https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile
Step 3: After adding tax info:
https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo
Step 4: try to remove previously added tax info (using X on the right)
https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485


Standard error message:

"The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..."

I am loged in as admin



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983377#action_12983377 ]

Michał Cukierman edited comment on OFBIZ-4106 at 1/18/11 4:12 PM:
------------------------------------------------------------------

Step 2: Go to:
https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile
Step 3: After adding tax info:
https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo
Step 4: try to remove previously added tax info (using X on the left)
https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485


Standard error message:

"The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..."

I am logged in as admin



      was (Author: mcukierman):
    Step 2: Go to:
https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile
Step 3: After adding tax info:
https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo
Step 4: try to remove previously added tax info (using X on the left)
https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485


Standard error message:

"The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..."

I am loged in as admin


 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983377#action_12983377 ]

Michał Cukierman edited comment on OFBIZ-4106 at 1/18/11 4:12 PM:
------------------------------------------------------------------

Step 2: Go to:
https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile
Step 3: After adding tax info:
https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo
Step 4: try to remove previously added tax info (using X on the left)
https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485


Standard error message:

"The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..."

I am loged in as admin



      was (Author: mcukierman):
    Step 2: Go to:
https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile
Step 3: After adding tax info:
https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo
Step 4: try to remove previously added tax info (using X on the right)
https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485


Standard error message:

"The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..."

I am loged in as admin


 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michał Cukierman updated OFBIZ-4106:
------------------------------------

    Attachment: Zaznaczenie_001.png

Screenshot with error on demo-stable host

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983817#action_12983817 ]

Jacques Le Roux commented on OFBIZ-4106:
----------------------------------------

Hi Michał,

This is not an easy fix, because, for secruoty reason, we would need to have a form into a form and that does not work in HTML. This because the faulty snippet is rendered by "screens.render" in specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
{code}
<form method="post" action="<@ofbizUrl>createCustomerTaxAuthInfo</@ofbizUrl>" name="createCustTaxAuthInfoForm">
    <input type="hidden" name="partyId" value="${party.partyId}"/>
    ${screens.render("component://order/widget/ordermgr/OrderEntryOrderScreens.xml#customertaxinfo")}
    <input type="submit" value="${uiLabelMap.CommonAdd}" class="smallSubmit"/>
</form>
{code}

So we would have this patch

{code}
### Eclipse Workspace Patch 1.0
#P release09.04
Index: applications/order/webapp/ordermgr/entry/customertaxinfo.ftl
===================================================================
--- applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (revision 1060759)
+++ applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (working copy)
@@ -19,7 +19,13 @@
 <#if partyTaxAuthInfoAndDetailList?exists>
     <#list partyTaxAuthInfoAndDetailList as partyTaxAuthInfoAndDetail>
         <div>
-            <a href="<@ofbizUrl>deleteCustomerTaxAuthInfo?partyId=${partyId}&amp;taxAuthPartyId=${partyTaxAuthInfoAndDetail.taxAuthPartyId}&amp;taxAuthGeoId=${partyTaxAuthInfoAndDetail.taxAuthGeoId}&amp;fromDate=${partyTaxAuthInfoAndDetail.fromDate}</@ofbizUrl>" class="buttontext">X</a>
+          <form name="deleteCustomerTaxAuthInfo" id="deleteCustomerTaxAuthInfo" method="POST" action="<@ofbizUrl>deleteCustomerTaxAuthInfo</@ofbizUrl>">
+            <input type="hidden" name="partyId" value="${partyId}">
+            <input type="hidden" name="taxAuthPartyId" value="${partyTaxAuthInfoAndDetail.taxAuthPartyId}">
+            <input type="hidden" name="taxAuthGeoId" value="${partyTaxAuthInfoAndDetail.taxAuthGeoId}">
+            <input type="hidden" name="fromDate" value="${partyTaxAuthInfoAndDetail.fromDate}">
+            <input type="submit" name="deleteCustomerTaxAuthInfo" class="buttontext" value="X">
+          </form>
             [${partyTaxAuthInfoAndDetail.geoCode}] ${partyTaxAuthInfoAndDetail.geoName} (${partyTaxAuthInfoAndDetail.groupName?if_exists}): ${uiLabelMap.PartyTaxId} [${partyTaxAuthInfoAndDetail.partyTaxId?default("N/A")}], ${uiLabelMap.PartyTaxIsExempt} [${partyTaxAuthInfoAndDetail.isExempt?default("N")}]
         </div>
     </#list>
{code}

And it would generate the form deleteCustomerTaxAuthInfo into the form createCustTaxAuthInfoForm and that can't work. So it needs to be replaced by calls from the calling screen. Can you handle the case and provide a patch?

Thanks for your interest in OFBiz

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12985719#action_12985719 ]

Michał Cukierman commented on OFBIZ-4106:
-----------------------------------------

Hi Jacques,

I will put this on my TODO list. Unfortunately I have two comming deadlines, so I will not be able to do it before March. I work on highly customized Ofbiz version and I am not able to provide you diff from my current codebase.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12985757#action_12985757 ]

Jacques Le Roux commented on OFBIZ-4106:
----------------------------------------

Thanks Michał,  no hurry anyway... Just let me know when you are ready, anyway I will receive from Jira, no worries...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-4106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12983817#comment-12983817 ]

Jacques Le Roux edited comment on OFBIZ-4106 at 1/31/11 12:57 PM:
------------------------------------------------------------------

Hi Michał,

This is not an easy fix, because, for security reason, we would need to have a form into a form and that does not work in HTML. This because the faulty snippet is rendered by "screens.render" in specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
{code}
<form method="post" action="<@ofbizUrl>createCustomerTaxAuthInfo</@ofbizUrl>" name="createCustTaxAuthInfoForm">
    <input type="hidden" name="partyId" value="${party.partyId}"/>
    ${screens.render("component://order/widget/ordermgr/OrderEntryOrderScreens.xml#customertaxinfo")}
    <input type="submit" value="${uiLabelMap.CommonAdd}" class="smallSubmit"/>
</form>
{code}

So we would have this patch

{code}
### Eclipse Workspace Patch 1.0
#P release09.04
Index: applications/order/webapp/ordermgr/entry/customertaxinfo.ftl
===================================================================
--- applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (revision 1060759)
+++ applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (working copy)
@@ -19,7 +19,13 @@
 <#if partyTaxAuthInfoAndDetailList?exists>
     <#list partyTaxAuthInfoAndDetailList as partyTaxAuthInfoAndDetail>
         <div>
-            <a href="<@ofbizUrl>deleteCustomerTaxAuthInfo?partyId=${partyId}&amp;taxAuthPartyId=${partyTaxAuthInfoAndDetail.taxAuthPartyId}&amp;taxAuthGeoId=${partyTaxAuthInfoAndDetail.taxAuthGeoId}&amp;fromDate=${partyTaxAuthInfoAndDetail.fromDate}</@ofbizUrl>" class="buttontext">X</a>
+          <form name="deleteCustomerTaxAuthInfo" id="deleteCustomerTaxAuthInfo" method="POST" action="<@ofbizUrl>deleteCustomerTaxAuthInfo</@ofbizUrl>">
+            <input type="hidden" name="partyId" value="${partyId}">
+            <input type="hidden" name="taxAuthPartyId" value="${partyTaxAuthInfoAndDetail.taxAuthPartyId}">
+            <input type="hidden" name="taxAuthGeoId" value="${partyTaxAuthInfoAndDetail.taxAuthGeoId}">
+            <input type="hidden" name="fromDate" value="${partyTaxAuthInfoAndDetail.fromDate}">
+            <input type="submit" name="deleteCustomerTaxAuthInfo" class="buttontext" value="X">
+          </form>
             [${partyTaxAuthInfoAndDetail.geoCode}] ${partyTaxAuthInfoAndDetail.geoName} (${partyTaxAuthInfoAndDetail.groupName?if_exists}): ${uiLabelMap.PartyTaxId} [${partyTaxAuthInfoAndDetail.partyTaxId?default("N/A")}], ${uiLabelMap.PartyTaxIsExempt} [${partyTaxAuthInfoAndDetail.isExempt?default("N")}]
         </div>
     </#list>
{code}

And it would generate the form deleteCustomerTaxAuthInfo into the form createCustTaxAuthInfoForm and that can't work. So it needs to be replaced by calls from the calling screen. Can you handle the case and provide a patch?

Thanks for your interest in OFBiz

================= FIXED TYPO =================

      was (Author: jacques.le.roux):
    Hi Michał,

This is not an easy fix, because, for secruoty reason, we would need to have a form into a form and that does not work in HTML. This because the faulty snippet is rendered by "screens.render" in specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
{code}
<form method="post" action="<@ofbizUrl>createCustomerTaxAuthInfo</@ofbizUrl>" name="createCustTaxAuthInfoForm">
    <input type="hidden" name="partyId" value="${party.partyId}"/>
    ${screens.render("component://order/widget/ordermgr/OrderEntryOrderScreens.xml#customertaxinfo")}
    <input type="submit" value="${uiLabelMap.CommonAdd}" class="smallSubmit"/>
</form>
{code}

So we would have this patch

{code}
### Eclipse Workspace Patch 1.0
#P release09.04
Index: applications/order/webapp/ordermgr/entry/customertaxinfo.ftl
===================================================================
--- applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (revision 1060759)
+++ applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (working copy)
@@ -19,7 +19,13 @@
 <#if partyTaxAuthInfoAndDetailList?exists>
     <#list partyTaxAuthInfoAndDetailList as partyTaxAuthInfoAndDetail>
         <div>
-            <a href="<@ofbizUrl>deleteCustomerTaxAuthInfo?partyId=${partyId}&amp;taxAuthPartyId=${partyTaxAuthInfoAndDetail.taxAuthPartyId}&amp;taxAuthGeoId=${partyTaxAuthInfoAndDetail.taxAuthGeoId}&amp;fromDate=${partyTaxAuthInfoAndDetail.fromDate}</@ofbizUrl>" class="buttontext">X</a>
+          <form name="deleteCustomerTaxAuthInfo" id="deleteCustomerTaxAuthInfo" method="POST" action="<@ofbizUrl>deleteCustomerTaxAuthInfo</@ofbizUrl>">
+            <input type="hidden" name="partyId" value="${partyId}">
+            <input type="hidden" name="taxAuthPartyId" value="${partyTaxAuthInfoAndDetail.taxAuthPartyId}">
+            <input type="hidden" name="taxAuthGeoId" value="${partyTaxAuthInfoAndDetail.taxAuthGeoId}">
+            <input type="hidden" name="fromDate" value="${partyTaxAuthInfoAndDetail.fromDate}">
+            <input type="submit" name="deleteCustomerTaxAuthInfo" class="buttontext" value="X">
+          </form>
             [${partyTaxAuthInfoAndDetail.geoCode}] ${partyTaxAuthInfoAndDetail.geoName} (${partyTaxAuthInfoAndDetail.groupName?if_exists}): ${uiLabelMap.PartyTaxId} [${partyTaxAuthInfoAndDetail.partyTaxId?default("N/A")}], ${uiLabelMap.PartyTaxIsExempt} [${partyTaxAuthInfoAndDetail.isExempt?default("N")}]
         </div>
     </#list>
{code}

And it would generate the form deleteCustomerTaxAuthInfo into the form createCustTaxAuthInfoForm and that can't work. So it needs to be replaced by calls from the calling screen. Can you handle the case and provide a patch?

Thanks for your interest in OFBiz
 
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira