svn commit: r1746823 - /ofbiz/branches/release14.12/applications/accounting/webapp/accounting/period/EditCustomTimePeriod.ftl

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1746823 - /ofbiz/branches/release14.12/applications/accounting/webapp/accounting/period/EditCustomTimePeriod.ftl

pranayp
Author: pranayp
Date: Sat Jun  4 13:24:55 2016
New Revision: 1746823

URL: http://svn.apache.org/viewvc?rev=1746823&view=rev
Log:
Manually applied fix from trunk revision 1746820.
---------------------------------------------------------------------

[OFBIZ-7162] Fixed security issue with delete child period in EditCustomTimePeriod.

Thanks Montalbano Florian for reporting the issue and thanks Arjun Kaushal for providing the patch.
---------------------------------------------------------------------

Modified:
    ofbiz/branches/release14.12/applications/accounting/webapp/accounting/period/EditCustomTimePeriod.ftl

Modified: ofbiz/branches/release14.12/applications/accounting/webapp/accounting/period/EditCustomTimePeriod.ftl
URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/accounting/webapp/accounting/period/EditCustomTimePeriod.ftl?rev=1746823&r1=1746822&r2=1746823&view=diff
==============================================================================
--- ofbiz/branches/release14.12/applications/accounting/webapp/accounting/period/EditCustomTimePeriod.ftl (original)
+++ ofbiz/branches/release14.12/applications/accounting/webapp/accounting/period/EditCustomTimePeriod.ftl Sat Jun  4 13:24:55 2016
@@ -60,7 +60,7 @@ under the License.
           <td>${uiLabelMap.AccountingPeriodName}</td>
           <td>${uiLabelMap.CommonFromDate}</td>
           <td>${uiLabelMap.CommonThruDate}</td>
-          <td>&nbsp;</td>
+          <td colspan="2">&nbsp;</td>
         </tr>
           <tr>
             <td>${currentCustomTimePeriod.customTimePeriodId}</td>
@@ -124,12 +124,16 @@ under the License.
             </td>
             <td class="button-col">
               <input type="submit" value='${uiLabelMap.CommonUpdate}'/>
-              <a href='<@ofbizUrl>deleteCustomTimePeriod?customTimePeriodId=${currentCustomTimePeriod.customTimePeriodId}</@ofbizUrl>'>
-              ${uiLabelMap.CommonDelete}</a>
+            </td>
+        </form>
+            <td class="button-col">
+              <form method="post" action='<@ofbizUrl>deleteCustomTimePeriod</@ofbizUrl>' name='deleteCustomTimePeriodForm'>
+                <input type="hidden" name="customTimePeriodId" value="${currentCustomTimePeriod.customTimePeriodId!}" />
+                <input type="submit" value='${uiLabelMap.CommonDelete}'/>
+              </form>
             </td>
           </tr>
       </table>
-        </form>
     <#else>
       <div class="screenlet-body">${uiLabelMap.AccountingNoCurrentCustomTimePeriodSelected}</div>
     </#if>
@@ -152,7 +156,7 @@ under the License.
           <td>${uiLabelMap.AccountingPeriodName}</td>
           <td>${uiLabelMap.CommonFromDate}</td>
           <td>${uiLabelMap.CommonThruDate}</td>
-          <td>&nbsp;</td>
+          <td colspan="3">&nbsp;</td>
         </tr>
         <#assign line = 0>
         <#list customTimePeriods as customTimePeriod>
@@ -216,12 +220,18 @@ under the License.
              </td>
              <td class="button-col">
               <input type="submit" value='${uiLabelMap.CommonUpdate}'/>
-              <a href='<@ofbizUrl>deleteCustomTimePeriod?customTimePeriodId=${customTimePeriod.customTimePeriodId!}&amp;currentCustomTimePeriodId=${currentCustomTimePeriodId!}&amp;findOrganizationPartyId=${findOrganizationPartyId!}</@ofbizUrl>'>
-              ${uiLabelMap.CommonDelete}</a>
-              <a href='<@ofbizUrl>EditCustomTimePeriod?currentCustomTimePeriodId=${customTimePeriod.customTimePeriodId!}&amp;findOrganizationPartyId=${findOrganizationPartyId!}</@ofbizUrl>'>
-              ${uiLabelMap.CommonSetAsCurrent}</a>
-            </td>
-            </form>
+             </td>
+             </form>
+             <td class="button-col">
+               <form method="post" action='<@ofbizUrl>deleteCustomTimePeriod</@ofbizUrl>' name='lineForm${line}'>
+                 <input type="hidden" name="customTimePeriodId" value="${customTimePeriod.customTimePeriodId!}" />
+                 <input type="submit" value='${uiLabelMap.CommonDelete}'/>
+               </form>
+             </td>
+             <td class="button-col">
+               <a href='<@ofbizUrl>EditCustomTimePeriod?currentCustomTimePeriodId=${customTimePeriod.customTimePeriodId!}&amp;findOrganizationPartyId=${findOrganizationPartyId!}</@ofbizUrl>'>
+               ${uiLabelMap.CommonSetAsCurrent}</a>
+             </td>
           </tr>
         </#list>
       </table>