[ofbiz-plugins] branch trunk updated (6b0c188 -> aa26d8f)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git.


    from 6b0c188  Fixed: Product Images not rendering on One Page Checkout (OFBIZ-11400)
     new cf272a9  Improved: POC for CSRF Token
     new aa26d8f  Adds the meta CSRF token for Ajax

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 ecommerce/template/includes/HeaderHead.ftl        | 5 +++++
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git

commit cf272a9750db86927d6f2692320fe0f4165dd0ff
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Mar 27 14:43:52 2020 +0100

    Improved: POC for CSRF Token
   
    (OFBIZ-11306)
   
    There is no need to change it in common-controller because, apart the ecommerce
    application, there are no applications that requires an anonymous flow.
    It should be only changed in ecommerce controller.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 5f7031c..d9047f4 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1605,7 +1605,7 @@ under the License.
     </request-map>
 
     <request-map uri="getAssociatedStateList">
-        <security https="true" auth="false"/>
+        <security https="true" auth="false" csrf-token="false"/>
         <event type="service" invoke="getAssociatedStateList"/>
         <response name="success" type="request" value="json"/>
         <response name="error" type="request" value="json"/>

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git

commit aa26d8f0cfeea2035d638d8b9ee34a173f2a7860
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Mar 28 09:54:12 2020 +0100

    Adds the meta CSRF token for Ajax
---
 ecommerce/template/includes/HeaderHead.ftl | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ecommerce/template/includes/HeaderHead.ftl b/ecommerce/template/includes/HeaderHead.ftl
index 0ceb444..fb0ae48 100644
--- a/ecommerce/template/includes/HeaderHead.ftl
+++ b/ecommerce/template/includes/HeaderHead.ftl
@@ -25,6 +25,11 @@ under the License.
 <head>
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
+  <#assign csrfDefenseStrategy = Static["org.apache.ofbiz.entity.util.EntityUtilProperties"].getPropertyValue("security", "csrf.defense.strategy", delegator)>
+  <#if csrfDefenseStrategy != "org.apache.ofbiz.security.NoCsrfDefenseStrategy">
+    <meta name="csrf-token" content="<@csrfTokenAjax/>"/>
+  </#if>
+  
   <title><#if title?has_content>${title}<#elseif titleProperty?has_content>${uiLabelMap.get(titleProperty)}</#if>
     : ${(productStore.storeName)!}
   </title>