This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new 7342f35 Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
7342f35 is described below
commit 7342f35d6f85f27c5b96edc92d1d38ba00e01899
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Sat Jun 27 10:43:02 2020 +0200
Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
Fixes a bug when there are no problem viewing the order, my bad
---
applications/order/groovyScripts/order/OrderViewWebSecure.groovy | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
index c5bdd5b..fc1e65c 100644
--- a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
+++ b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
@@ -59,9 +59,9 @@ if (orderHeader) {
canViewInternalDetails = false
errMsgList.add("It's not an error : you are not allowed to view this!")
showErrorMsg = "Y"
+ request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
+ context.showErrorMsg = showErrorMsg
}
- request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
- context.showErrorMsg = showErrorMsg
}
context.hasPermission = hasPermission
Locked
