Posted by Jacques Le Roux on Dec 14, 2011; 12:51pm URL: http://ofbiz.116.s1.nabble.com/Security-issue-tp4122968p4194776.html
Actually from the UI side this is not permitted. If you do otherwise, or if the user use urls then it needs to be handled one way or
another. For me it's not a pb for OFBiz OOTB though...
Jacques
Dimitri Unruh wrote:
> Hi everybody,
>
> I got a strange behavior with request chaining.
>
> Should we allow following request for an anonymus user?
> http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/ordercomplete > http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/viewprofile > http://demo-trunk.ofbiz.apache.org/ecommerce/control/view/changepassword >
> I know, that a screen should check permissions, but anyway....
>
> What dou you think?
>
>
> Viele Grüße
> Best Regards
>
>
> Dimitri Unruh
> Consultant AEW
> Lynx-Consulting GmbH
> Johanniskirchplatz 6
> 33615 Bielefeld
> Deutschland
> Fon: +49 521 5247-0
> Fax: +49 521 5247-250
> Mobil: +49 160 90 57 55 13
>
>
> Unser Lynx News-Service bietet Ihnen Wissenswertes aus der Beratungspraxis und liefert Ihnen Informationen zu unseren
> Veranstaltungen.
>
> Lernen Sie auch unsere Lynx-Akademie kennen!
>
>
> Company and Management Headquarters:
> Lynx-Consulting GmbH, Johanniskirchplatz 6, 33615 Bielefeld, Deutschland
> Fon: +49 521 5247-0, Fax: +49 521 5247-250, www.lynx.de
>
> Court Registration: Amtsgericht Bielefeld HRB 35946
> Chief Executive Officers: Karsten Noss, Dirk Osterkamp
>
>
> http://www.lynx.de/haftungsausschluss