[ofbiz-framework] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 67531d8  Improved: "auth" should be true for all the request url used for Application components
67531d8 is described below

commit 67531d8bb2ce8b7cc373cba280dc2d77859adb0d
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Mar 14 08:51:06 2020 +0100

    Improved: "auth" should be true for all the request url used for Application
    components
   
    (OFBIZ-4956)
   
    Currently there are some URLs present in application components with
    auth="false". So anyone can hit these URLs and access these resources without
    authorization.
    I think all the URLs should be secure with auth="true"
   
    jleroux: I have also fixed the dataResourceId="GZ-DIG"
   
    Thanks: Amardeep Singh Jhajj for report and initial fix
---
 applications/accounting/webapp/accounting/WEB-INF/controller.xml  | 6 +++---
 applications/content/webapp/content/WEB-INF/controller.xml        | 4 ++--
 applications/datamodel/data/demo/OrderDemoData.xml                | 2 +-
 applications/humanres/webapp/humanres/WEB-INF/controller.xml      | 2 +-
 .../manufacturing/webapp/manufacturing/WEB-INF/controller.xml     | 2 +-
 applications/marketing/webapp/marketing/WEB-INF/controller.xml    | 2 +-
 applications/order/webapp/ordermgr/WEB-INF/controller.xml         | 8 ++++----
 applications/party/webapp/partymgr/WEB-INF/controller.xml         | 8 ++++----
 applications/product/webapp/catalog/WEB-INF/controller.xml        | 6 +++---
 applications/product/webapp/facility/WEB-INF/controller.xml       | 2 +-
 framework/common/webcommon/WEB-INF/common-controller.xml          | 2 +-
 11 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/applications/accounting/webapp/accounting/WEB-INF/controller.xml b/applications/accounting/webapp/accounting/WEB-INF/controller.xml
index a692b46..7116519 100644
--- a/applications/accounting/webapp/accounting/WEB-INF/controller.xml
+++ b/applications/accounting/webapp/accounting/WEB-INF/controller.xml
@@ -874,7 +874,7 @@ under the License.
 
     <!-- =============== Fixed Asset mapping =================-->
     <request-map uri="ListFixedAssets"><security https="true" auth="true"/><response name="success" type="view" value="ListFixedAssets"/></request-map>
-    <request-map uri="FixedAssetSearchResults"><security https="true" auth="false"/><response name="success" type="view" value="FixedAssetSearchResults"/></request-map>
+    <request-map uri="FixedAssetSearchResults"><security https="true" auth="true"/><response name="success" type="view" value="FixedAssetSearchResults"/></request-map>
     <request-map uri="EditFixedAsset"><security https="true" auth="true"/><response name="success" type="view" value="EditFixedAsset"/></request-map>
     <request-map uri="createFixedAsset">
         <security https="true" auth="true"/>
@@ -2030,7 +2030,7 @@ under the License.
         <response name="error" type="request" value="json"/>
     </request-map>
     <request-map uri="reconcileFinAccountTrans">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="service-multi" invoke="reconcileFinAccountTrans"/>
         <response name="success" type="view" value="BankReconciliation"/>
         <response name="error" type="view" value="BankReconciliation"/>
@@ -2066,7 +2066,7 @@ under the License.
         <response name="error" type="view" value="ViewGlReconciliationWithTransaction"/>
     </request-map>
     <request-map uri="assignGlRecToFinAccTrans">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="service-multi" invoke="assignGlRecToFinAccTrans"/>
         <response name="success" type="view" value="FindFinAccountTrans"/>
         <response name="error" type="view" value="FindFinAccountTrans"/>
diff --git a/applications/content/webapp/content/WEB-INF/controller.xml b/applications/content/webapp/content/WEB-INF/controller.xml
index 0732b6c..468cfbd 100644
--- a/applications/content/webapp/content/WEB-INF/controller.xml
+++ b/applications/content/webapp/content/WEB-INF/controller.xml
@@ -1029,7 +1029,7 @@ under the License.
     </request-map>
     <request-map uri="UploadImage"><security auth="true" https="true"/><response name="success" type="view" value="UploadImage"/></request-map>
     <request-map uri="img">
-        <security auth="false" https="false"/>
+        <security auth="true" https="true"/>
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveImage"/>
         <response name="success" type="none"/>
         <response name="error" type="request" value="main"/>
@@ -1756,7 +1756,7 @@ under the License.
     <!-- ================ SimpleContent Requests ================= -->
 
     <request-map uri="ViewSimpleContent">
-        <security auth="false" https="false"/>
+        <security auth="true" https="true"/>
         <response name="success" type="view" value="ViewSimpleContent"/>
     </request-map>
 
diff --git a/applications/datamodel/data/demo/OrderDemoData.xml b/applications/datamodel/data/demo/OrderDemoData.xml
index 6b4929b..04bcc3e 100644
--- a/applications/datamodel/data/demo/OrderDemoData.xml
+++ b/applications/datamodel/data/demo/OrderDemoData.xml
@@ -792,7 +792,7 @@ under the License.
 
     <!-- test Digital Download product -->
     <Product productId="GZ-DIG" productTypeId="DIGITAL_GOOD" primaryProductCategoryId="101" productName="Digital Gizmo" internalName="Digital Gizmo" description="A digital gizmo: can be downloaded immediately after purchase." longDescription="This gizmo is part of an exciting new breed that needs no corporeal form: it is all digital! Buy and download it now!" taxable="Y" chargeShipping="N" autoCreateKeywords="Y" isVirtual="N" isVariant="N" createdDate="2001-05-13 12:00:00.0" createdByUse [...]
-    <DataResource dataResourceId="GZ-DIG" dataResourceTypeId="OFBIZ_FILE_BIN" mimeTypeId="image/gif" dataResourceName="Digital Gizmo Image" objectInfo="themes/common/webapp/images/ofbiz_logo.png"/>
+    <DataResource dataResourceId="GZ-DIG" dataResourceTypeId="OFBIZ_FILE_BIN" mimeTypeId="image/gif" dataResourceName="Digital Gizmo Image" objectInfo="themes/common-theme/webapp/images/ofbiz_logo.png"/>
     <DataResource dataResourceTypeId="ELECTRONIC_TEXT" dataResourceId="GZ-DIG-ALT" localeString="en"/>
     <DataResource dataResourceTypeId="ELECTRONIC_TEXT" dataResourceId="DRGZ-DIG-ALTEN" localeString="en_US"/>
     <ElectronicText dataResourceId="GZ-DIG-ALT" textData="digital-gizmo"/>
diff --git a/applications/humanres/webapp/humanres/WEB-INF/controller.xml b/applications/humanres/webapp/humanres/WEB-INF/controller.xml
index fb8810c..fc137a9 100644
--- a/applications/humanres/webapp/humanres/WEB-INF/controller.xml
+++ b/applications/humanres/webapp/humanres/WEB-INF/controller.xml
@@ -40,7 +40,7 @@ under the License.
 
     <!-- Request Mappings -->
     <request-map uri="view">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <response name="success" type="request" value="main"/>
     </request-map>
     
diff --git a/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml b/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml
index 9550502..4948591 100644
--- a/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml
+++ b/applications/manufacturing/webapp/manufacturing/WEB-INF/controller.xml
@@ -39,7 +39,7 @@ under the License.
 
     <!-- Request Mappings -->
     <request-map uri="view">
-        <security https="false" auth="false"/>
+        <security https="true" auth="true"/>
         <response name="success" type="request" value="main"/>
     </request-map>
 
diff --git a/applications/marketing/webapp/marketing/WEB-INF/controller.xml b/applications/marketing/webapp/marketing/WEB-INF/controller.xml
index de47863..7221e3a 100644
--- a/applications/marketing/webapp/marketing/WEB-INF/controller.xml
+++ b/applications/marketing/webapp/marketing/WEB-INF/controller.xml
@@ -305,7 +305,7 @@ under the License.
         <response name="error" type="request-redirect" value="FindImportContactListParties"/>
     </request-map>
     <request-map uri="contactListOptOut" track-serverhit="false" track-visit="false">
-        <security https="true" auth="false"/>        
+        <security https="true" auth="true"/>
         <event type="service" invoke="updateContactListPartyNoUserLogin"/>
         <response name="success" type="view" value="ContactListOptOut"/>
     </request-map>
diff --git a/applications/order/webapp/ordermgr/WEB-INF/controller.xml b/applications/order/webapp/ordermgr/WEB-INF/controller.xml
index 2d4cce3..10c5d3c 100644
--- a/applications/order/webapp/ordermgr/WEB-INF/controller.xml
+++ b/applications/order/webapp/ordermgr/WEB-INF/controller.xml
@@ -39,7 +39,7 @@ under the License.
 
     <!-- Request Mappings -->
     <request-map uri="view">
-        <security https="false" auth="false"/>
+        <security https="true" auth="true"/>
         <response name="success" type="request" value="main"/>
     </request-map>
 
@@ -229,7 +229,7 @@ under the License.
     </request-map>
 
     <request-map uri="getConfigDetailsEvent">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="java" path="org.apache.ofbiz.order.shoppingcart.ShoppingCartEvents" invoke="getConfigDetailsEvent"/>
         <response name="success" type="request" value="json"/>
         <response name="error" type="request" value="json"/>
@@ -596,7 +596,7 @@ under the License.
         <response name="success" type="view" value="AddGiftCertificate"/>
     </request-map>
     <request-map uri="addGiftCertificateSurvey">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="java" invoke="createSurveyResponseAndRestoreParameters" path="org.apache.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="request" value="additem"/>
         <response name="error" type="view" value="AddGiftCertificate"/>
@@ -1794,7 +1794,7 @@ under the License.
     </request-map>
 
     <request-map uri="crosssell">
-        <security https="false" auth="false"/>
+        <security https="true" auth="true"/>
         <response name="success" type="view" value="product"/>
     </request-map>
 
diff --git a/applications/party/webapp/partymgr/WEB-INF/controller.xml b/applications/party/webapp/partymgr/WEB-INF/controller.xml
index a9bee45..1936fca 100644
--- a/applications/party/webapp/partymgr/WEB-INF/controller.xml
+++ b/applications/party/webapp/partymgr/WEB-INF/controller.xml
@@ -41,7 +41,7 @@ under the License.
     -->
 
     <!-- Request Mappings -->
-    <request-map uri="view"><security https="true" auth="false"/><response name="success" type="request" value="main"/></request-map>
+    <request-map uri="view"><security https="true" auth="true"/><response name="success" type="request" value="main"/></request-map>
     
     <request-map uri="main"><security https="true" auth="true"/><response name="success" type="view" value="main"/></request-map>
 
@@ -995,7 +995,7 @@ under the License.
    <!-- ================ SimpleContent Requests ================= -->
 
     <request-map uri="ViewSimpleContent">
-        <security auth="false" https="false"/>
+        <security auth="true" https="true"/>
         <response name="success" type="view" value="ViewSimpleContent"/>
     </request-map>
 
@@ -1050,7 +1050,7 @@ under the License.
     </request-map>
 
     <request-map uri="img">
-        <security auth="false" https="false"/>
+        <security auth="true" https="true"/>
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveImage"/>
         <response name="success" type="none"/>
         <response name="error" type="request" value="main"/>
@@ -1342,7 +1342,7 @@ under the License.
 
     <!--  external communication event; mark as read using 1px image request -->
     <request-map uri="ceimages" track-serverhit="false" track-visit="false">
-        <security https="false" auth="false"/>
+        <security https="false" auth="true"/>
         <event type="java" path="org.apache.ofbiz.party.communication.CommunicationEventServices" invoke="markCommunicationAsRead"/>
         <response name="success" type="none"/>
     </request-map>
diff --git a/applications/product/webapp/catalog/WEB-INF/controller.xml b/applications/product/webapp/catalog/WEB-INF/controller.xml
index 65257f2..496f99b 100644
--- a/applications/product/webapp/catalog/WEB-INF/controller.xml
+++ b/applications/product/webapp/catalog/WEB-INF/controller.xml
@@ -1922,7 +1922,7 @@ under the License.
     
     <!-- Get Values options associated with a Price Rule Condition Input -->
     <request-map uri="getAssociatedPriceRulesConds">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="service" invoke="getAssociatedPriceRulesConds"/>
         <response name="success" type="request" value="json"/>
         <response name="error" type="request" value="json"/>
@@ -2836,7 +2836,7 @@ under the License.
         </response>
     </request-map>
     <request-map uri="viewImage">
-        <security https="false" auth="false"/>
+        <security https="true" auth="true"/>
         <response name="success" type="view" value="viewImage"/>
         <response name="error" type="view" value="viewImage"/>
     </request-map>
@@ -3031,7 +3031,7 @@ under the License.
         <response name="error" type="request" value="json"/>
     </request-map>
     <request-map uri="listMiniproduct">
-        <security auth="false" https="true"/>
+        <security auth="true" https="true"/>
         <response name="success" type="view" value="listMiniproduct"/>
     </request-map>
 
diff --git a/applications/product/webapp/facility/WEB-INF/controller.xml b/applications/product/webapp/facility/WEB-INF/controller.xml
index 0ddf8e0..35cb285 100644
--- a/applications/product/webapp/facility/WEB-INF/controller.xml
+++ b/applications/product/webapp/facility/WEB-INF/controller.xml
@@ -53,7 +53,7 @@ under the License.
         <response name="success" type="view" value="FindFacility"/>
     </request-map>
     <request-map uri="FacilitySearchResults">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <response name="success" type="view" value="FacilitySearchResults"/>
     </request-map>
     <request-map uri="EditFacility">
diff --git a/framework/common/webcommon/WEB-INF/common-controller.xml b/framework/common/webcommon/WEB-INF/common-controller.xml
index 80407c6..8fe8d0f 100644
--- a/framework/common/webcommon/WEB-INF/common-controller.xml
+++ b/framework/common/webcommon/WEB-INF/common-controller.xml
@@ -237,7 +237,7 @@ under the License.
     <!--========================== AJAX events =====================-->
     <!-- Get states related to a country -->
     <request-map uri="getAssociatedStateList">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="service" invoke="getAssociatedStateList"/>
         <response name="success" type="request" value="json"/>
         <response name="error" type="request" value="json"/>