[
https://issues.apache.org/jira/browse/OFBIZ-4360?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Deepak Dixit updated OFBIZ-4360:
--------------------------------
Attachment: OFBIZ-4360.patch
Here is the patch for this issue.
Added a security check based on the 'DataResource.isPublic' field.
Here are a few scenarios that has been checked while working on the issue:
1) If the user is not logged in to ecommerce, and hits the URL mentioned in the issue then user will get following error message - " User authorization is required for this service"
2) If the user is logged in to ecommerce and do not have certain permissions to view the content then following error message appears - " To run this operation you must have the one of the following permissions: CONTENTMGR_ROLE_VIEW, CONTENTMGR_ROLE_ADMIN"
3) If the user is logged in to ecommerce and if user has all the required permissions to view the content then user will be able to view the content.
If DataResource.isPublic is set to 'Y' then there is no need to verify the security checks.
> Content is getting public to web search engine no privacy
> ---------------------------------------------------------
>
> Key: OFBIZ-4360
> URL:
https://issues.apache.org/jira/browse/OFBIZ-4360> Project: OFBiz
> Issue Type: Bug
> Components: commonext/setup, content
> Affects Versions: Release 10.04
> Environment: red hat entreprise
> Reporter: patrick LE BLAN
> Attachments: OFBIZ-4360.patch
>
>
> all content hosted on ofbiz trees is getting public throuth a general through this link
> myhost:8080/ecommerce/control/ViewSimpleContent?dataResourceId=10170
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Locked
