OFBiz › OFBiz - Commits

svn commit: r922042 - /ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

jleroux@apache.org

svn commit: r922042 - /ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl

Author: jleroux
Date: Thu Mar 11 22:25:32 2010
New Revision: 922042

URL: http://svn.apache.org/viewvc?rev=922042&view=rev
Log:
Fix a security issue reported by Heidi Dehaes at "unsubscribe from a contactlist in the "profile" screen in the ecommerce screens" (https://issues.apache.org/jira/browse/OFBIZ-3396) - OFBIZ-3396
Actually this commit fixes rather 2 security issues

Modified:
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl

Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl?rev=922042&r1=922041&r2=922042&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl (original)
+++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl Thu Mar 11 22:25:32 2010
@@ -484,8 +484,16 @@ under the License.
<td>${emailAddress.infoString?if_exists}</td>
<td> </td>
<td>
- <#if (contactListParty.statusId?if_exists == "CLPT_ACCEPTED")>
- <a href="<@ofbizUrl>updateContactListParty?partyId=${party.partyId}&contactListId=${contactListParty.contactListId}&fromDate=${contactListParty.fromDate}&statusId=CLPT_REJECTED</@ofbizUrl>" class="button">${uiLabelMap.EcommerceUnsubscribe}</a>
+ <#if (contactListParty.statusId?if_exists == "CLPT_ACCEPTED")>
+ <form method="post" action="<@ofbizUrl>updateContactListParty</@ofbizUrl>" name="clistRejectForm${contactListParty_index}">
+ <div>
+ <input type="hidden" name="partyId" value="${party.partyId}"/>
+ <input type="hidden" name="contactListId" value="${contactListParty.contactListId}"/>
+ <input type="hidden" name="fromDate" value="${contactListParty.fromDate}"/>
+ <input type="hidden" name="statusId" value="CLPT_REJECTED"/>
+ <input type="submit" value="${uiLabelMap.EcommerceUnsubscribe}" class="smallSubmit"/>
+ </div>
+ </form>
<#elseif (contactListParty.statusId?if_exists == "CLPT_PENDING")>
<form method="post" action="<@ofbizUrl>updateContactListParty</@ofbizUrl>" name="clistAcceptForm${contactListParty_index}">
<div>
@@ -498,7 +506,15 @@ under the License.
</div>
</form>
<#elseif (contactListParty.statusId?if_exists == "CLPT_REJECTED")>
- <a href="<@ofbizUrl>updateContactListParty?partyId=${party.partyId}&contactListId=${contactListParty.contactListId}&fromDate=${contactListParty.fromDate}&statusId=CLPT_PENDING</@ofbizUrl>" class="button">${uiLabelMap.EcommerceSubscribe}</a>
+ <form method="post" action="<@ofbizUrl>updateContactListParty</@ofbizUrl>" name="clistPendForm${contactListParty_index}">
+ <div>
+ <input type="hidden" name="partyId" value="${party.partyId}"/>
+ <input type="hidden" name="contactListId" value="${contactListParty.contactListId}"/>
+ <input type="hidden" name="fromDate" value="${contactListParty.fromDate}"/>
+ <input type="hidden" name="statusId" value="CLPT_PENDING"/>
+ <input type="submit" value="${uiLabelMap.EcommerceSubscribe}" class="smallSubmit"/>
+ </div>
+ </form>
</#if>
</td>
</tr>