svn commit: r1748184 - in /ofbiz/branches: release13.07/applications/prod
Locked
svn commit: r1748184 - in /ofbiz/branches: release13.07/applications/prod
 
|
Author: jleroux
Date: Mon Jun 13 11:51:37 2016 New Revision: 1748184 URL: http://svn.apache.org/viewvc?rev=1748184&view=rev Log: Backports by hand a patch from Ravi Lodhi for "Remove product feature in Quick Admin page not secure" - https://issues.apache.org/jira/browse/OFBIZ-7319 reported by Florian Montalbano When trying to remove a product feature from the quick admin page of a product, you get the following error : Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [productId] passed to secure (https) request-map with uri [quickAdminRemoveFeatureFromProduct] with an event that calls service [removeFeatureFromProduct]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at http://cwiki.apache.org/confluence/x/JIB2 Thank you in advance for your help. Step to reproduce the error : Go to the catalog and search for any product (https://localhost:8443/catalog/control/FindProduct) Go to the "Quick Admin" tab (https://localhost:8443/catalog/control/EditProductQuickAdmin?productId=WG-9943-B3) Add a standard feature type (Color for example) Select an option from the drop-down of the feature type (Black for example) and add the feature. Try to delete it by clicking on the button with a cross. The error shows up Modified: ofbiz/branches/release13.07/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl ofbiz/branches/release14.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl ofbiz/branches/release15.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl Modified: ofbiz/branches/release13.07/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl URL: http://svn.apache.org/viewvc/ofbiz/branches/release13.07/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl?rev=1748184&r1=1748183&r2=1748184&view=diff ============================================================================== --- ofbiz/branches/release13.07/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl (original) +++ ofbiz/branches/release13.07/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl Mon Jun 13 11:51:37 2016 @@ -329,8 +329,14 @@ function doPublish() { <#list standardFeatureAppls as standardFeatureAppl> <#assign featureId = standardFeatureAppl.productFeatureId/> <tr valign="middle"<#if rowClass == "1"> class="alternate-row"</#if>> - <td colspan="2"><a href='<@ofbizUrl>quickAdminRemoveFeatureFromProduct?productId=${standardFeatureAppl.productId?if_exists}&productFeatureId=${featureId?if_exists}&fromDate=${(standardFeatureAppl.fromDate)?if_exists}</@ofbizUrl>' class="buttontext">x</a> - ${productFeatureTypeLookup.get(featureId).description}: ${standardFeatureLookup.get(featureId).description} + <td colspan="2"> + <form name="quickAdminRemoveFeature_${standardFeatureAppl_index}" action="<@ofbizUrl>quickAdminRemoveFeatureFromProduct</@ofbizUrl>" method="post"> + <input type="hidden" name="productId" value="${standardFeatureAppl.productId!}" /> + <input type="hidden" name="productFeatureId" value="${featureId!}" /> + <input type="hidden" name="fromDate" value="${(standardFeatureAppl.fromDate)!}" /> + <a href="javascript:document.quickAdminRemoveFeature_${standardFeatureAppl_index}.submit();" class="buttontext">x</a> + ${productFeatureTypeLookup.get(featureId).description}: ${standardFeatureLookup.get(featureId).description} + </form> </td> </tr> <#-- toggle the row color --> Modified: ofbiz/branches/release14.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl URL: http://svn.apache.org/viewvc/ofbiz/branches/release14.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl?rev=1748184&r1=1748183&r2=1748184&view=diff ============================================================================== --- ofbiz/branches/release14.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl (original) +++ ofbiz/branches/release14.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl Mon Jun 13 11:51:37 2016 @@ -329,8 +329,14 @@ function doPublish() { <#list standardFeatureAppls as standardFeatureAppl> <#assign featureId = standardFeatureAppl.productFeatureId/> <tr valign="middle"<#if rowClass == "1"> class="alternate-row"</#if>> - <td colspan="2"><a href='<@ofbizUrl>quickAdminRemoveFeatureFromProduct?productId=${standardFeatureAppl.productId!}&productFeatureId=${featureId!}&fromDate=${(standardFeatureAppl.fromDate)!}</@ofbizUrl>' class="buttontext">x</a> - ${productFeatureTypeLookup.get(featureId).description}: ${standardFeatureLookup.get(featureId).description} + <td colspan="2"> + <form name="quickAdminRemoveFeature_${standardFeatureAppl_index}" action="<@ofbizUrl>quickAdminRemoveFeatureFromProduct</@ofbizUrl>" method="post"> + <input type="hidden" name="productId" value="${standardFeatureAppl.productId!}" /> + <input type="hidden" name="productFeatureId" value="${featureId!}" /> + <input type="hidden" name="fromDate" value="${(standardFeatureAppl.fromDate)!}" /> + <a href="javascript:document.quickAdminRemoveFeature_${standardFeatureAppl_index}.submit();" class="buttontext">x</a> + ${productFeatureTypeLookup.get(featureId).description}: ${standardFeatureLookup.get(featureId).description} + </form> </td> </tr> <#-- toggle the row color --> Modified: ofbiz/branches/release15.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl URL: http://svn.apache.org/viewvc/ofbiz/branches/release15.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl?rev=1748184&r1=1748183&r2=1748184&view=diff ============================================================================== --- ofbiz/branches/release15.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl (original) +++ ofbiz/branches/release15.12/applications/product/webapp/catalog/product/EditProductQuickAdmin.ftl Mon Jun 13 11:51:37 2016 @@ -329,8 +329,14 @@ function doPublish() { <#list standardFeatureAppls as standardFeatureAppl> <#assign featureId = standardFeatureAppl.productFeatureId/> <tr valign="middle"<#if rowClass == "1"> class="alternate-row"</#if>> - <td colspan="2"><a href='<@ofbizUrl>quickAdminRemoveFeatureFromProduct?productId=${standardFeatureAppl.productId!}&productFeatureId=${featureId!}&fromDate=${(standardFeatureAppl.fromDate)!}</@ofbizUrl>' class="buttontext">x</a> - ${productFeatureTypeLookup.get(featureId).description}: ${standardFeatureLookup.get(featureId).description} + <td colspan="2"> + <form name="quickAdminRemoveFeature_${standardFeatureAppl_index}" action="<@ofbizUrl>quickAdminRemoveFeatureFromProduct</@ofbizUrl>" method="post"> + <input type="hidden" name="productId" value="${standardFeatureAppl.productId!}" /> + <input type="hidden" name="productFeatureId" value="${featureId!}" /> + <input type="hidden" name="fromDate" value="${(standardFeatureAppl.fromDate)!}" /> + <a href="javascript:document.quickAdminRemoveFeature_${standardFeatureAppl_index}.submit();" class="buttontext">x</a> + ${productFeatureTypeLookup.get(featureId).description}: ${standardFeatureLookup.get(featureId).description} + </form> </td> </tr> <#-- toggle the row color --> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |