[ofbiz-plugins] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new e72e134  Improved: "auth" should be true for all the request url used for Application components
e72e134 is described below

commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Mar 14 08:49:54 2020 +0100

    Improved: "auth" should be true for all the request url used for Application
    components

    (OFBIZ-4956)

    Currently there are some URLs present in application components with
    auth="false". So anyone can hit these URLs and access these resources without
    authorization.

    I think all the URLs should be secure with auth="true"

    Thanks: Amardeep Singh Jhajj for report and initial fix
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 5f7031c..27a0383 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1605,7 +1605,7 @@ under the License.
     </request-map>

     <request-map uri="getAssociatedStateList">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="service" invoke="getAssociatedStateList"/>
         <response name="success" type="request" value="json"/>
         <response name="error" type="request" value="json"/>

Hi Deepak,

Yes, I wondered about that too, but in which case/s do you think getAssociatedStateList can be requested w/o being authenticated?

Thanks

Jacques

Le 16/03/2020 à 06:49, Deepak Dixit a écrit :

Hi Jacques,

I think we can't make auth true for getAssociatedStateList, this will break the anon checkout flow. 

Thanks & Regards

--

Deepak Dixit

ofbiz.apache.org

On Sat, Mar 14, 2020 at 1:19 PM <[hidden email]> wrote:

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new e72e134  Improved: "auth" should be true for all the request url used for Application components
e72e134 is described below

commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Mar 14 08:49:54 2020 +0100

    Improved: "auth" should be true for all the request url used for Application
    components

    (OFBIZ-4956)

    Currently there are some URLs present in application components with
    auth="false". So anyone can hit these URLs and access these resources without
    authorization.

    I think all the URLs should be secure with auth="true"

    Thanks: Amardeep Singh Jhajj for report and initial fix
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 5f7031c..27a0383 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1605,7 +1605,7 @@ under the License.
     </request-map>

     <request-map uri="getAssociatedStateList">
-        <security https="true" auth="false"/>
+        <security https="true" auth="true"/>
         <event type="service" invoke="getAssociatedStateList"/>
         <response name="success" type="request" value="json"/>
         <response name="error" type="request" value="json"/>