Author: jleroux
Date: Thu Mar 11 22:25:32 2010
New Revision: 922042
URL: http://svn.apache.org/viewvc?rev=922042&view=rev
Log:
Fix a security issue reported by Heidi Dehaes at "unsubscribe from a
contactlist in the "profile" screen in the ecommerce screens"
(https://issues.apache.org/jira/browse/OFBIZ-3396) - OFBIZ-3396
Actually this commit fixes rather 2 security issues
Modified:
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
Modified:
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl?rev=922042&r1=922041&r2=922042&view=diff
==============================================================================
---
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
(original)
+++
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl
Thu Mar 11 22:25:32 2010
@@ -484,8 +484,16 @@ under the License.
<td>${emailAddress.infoString?if_exists}</td>
<td> </td>
<td>
- <#if (contactListParty.statusId?if_exists == "CLPT_ACCEPTED")>
- <a
href="<@ofbizUrl>updateContactListParty?partyId=${party.partyId}&contactListId=${contactListParty.contactListId}&fromDate=${contactListParty.fromDate}&statusId=CLPT_REJECTED</@ofbizUrl>"
class="button">${uiLabelMap.EcommerceUnsubscribe}</a>
+ <#if (contactListParty.statusId?if_exists == "CLPT_ACCEPTED")>
+ <form method="post"
action="<@ofbizUrl>updateContactListParty</@ofbizUrl>"
name="clistRejectForm${contactListParty_index}">
+ <div>
+ <input type="hidden" name="partyId" value="${party.partyId}"/>
+ <input type="hidden" name="contactListId"
value="${contactListParty.contactListId}"/>
+ <input type="hidden" name="fromDate"
value="${contactListParty.fromDate}"/>
+ <input type="hidden" name="statusId" value="CLPT_REJECTED"/>
+ <input type="submit" value="${uiLabelMap.EcommerceUnsubscribe}"
class="smallSubmit"/>
+ </div>
+ </form>
<#elseif (contactListParty.statusId?if_exists == "CLPT_PENDING")>
<form method="post"
action="<@ofbizUrl>updateContactListParty</@ofbizUrl>"
name="clistAcceptForm${contactListParty_index}">
<div>
@@ -498,7 +506,15 @@ under the License.
</div>
</form>
<#elseif (contactListParty.statusId?if_exists == "CLPT_REJECTED")>
- <a
href="<@ofbizUrl>updateContactListParty?partyId=${party.partyId}&contactListId=${contactListParty.contactListId}&fromDate=${contactListParty.fromDate}&statusId=CLPT_PENDING</@ofbizUrl>"
class="button">${uiLabelMap.EcommerceSubscribe}</a>
+ <form method="post"
action="<@ofbizUrl>updateContactListParty</@ofbizUrl>"
name="clistPendForm${contactListParty_index}">
+ <div>
+ <input type="hidden" name="partyId" value="${party.partyId}"/>
+ <input type="hidden" name="contactListId"
value="${contactListParty.contactListId}"/>
+ <input type="hidden" name="fromDate"
value="${contactListParty.fromDate}"/>
+ <input type="hidden" name="statusId" value="CLPT_PENDING"/>
+ <input type="submit" value="${uiLabelMap.EcommerceSubscribe}"
class="smallSubmit"/>
+ </div>
+ </form>
</#if>
</td>
</tr>
