Author: jleroux
Date: Sat Nov 7 14:34:07 2009
New Revision: 833686
URL: http://svn.apache.org/viewvc?rev=833686&view=rev
Log:
Fix an FTL security bug "Remove productstore role from store" reported by
Willem Janssen at https://issues.apache.org/jira/browse/OFBIZ-3174 - OFBIZ-3174
Modified:
ofbiz/trunk/applications/product/webapp/catalog/store/EditProductStoreRoles.ftl
Modified:
ofbiz/trunk/applications/product/webapp/catalog/store/EditProductStoreRoles.ftl
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/webapp/catalog/store/EditProductStoreRoles.ftl?rev=833686&r1=833685&r2=833686&view=diff
==============================================================================
---
ofbiz/trunk/applications/product/webapp/catalog/store/EditProductStoreRoles.ftl
(original)
+++
ofbiz/trunk/applications/product/webapp/catalog/store/EditProductStoreRoles.ftl
Sat Nov 7 14:34:07 2009
@@ -47,7 +47,13 @@
<td> </td>
<#else>
<td align="center">
- <a
href="<@ofbizUrl>storeRemoveRole?productStoreId=${productStoreId}&partyId=${role.partyId}&roleTypeId=${role.roleTypeId}&fromDate=${role.fromDate}</@ofbizUrl>"
class="buttontext">${uiLabelMap.CommonDelete}</a>
+ <a
href="javascript:document.storeRemoveRole_${role_index}.submit();"
class="buttontext">${uiLabelMap.CommonDelete}</a>
+ <form name="storeRemoveRole_${role_index}" method="post"
action="<@ofbizUrl>storeRemoveRole</@ofbizUrl>">
+ <input type="hidden" name="productStoreId"
value="${productStoreId}"/>
+ <input type="hidden" name="partyId"
value="${role.partyId}"/>
+ <input type="hidden" name="roleTypeId"
value="${role.roleTypeId}"/>
+ <input type="hidden" name="fromDate"
value="${role.fromDate}"/>
+ </form>
</td>
</#if>
</tr>
