Author: pranayp
Date: Sat Jun 4 13:20:58 2016
New Revision: 1746820
URL: http://svn.apache.org/viewvc?rev=1746820&view=rev
Log:
[OFBIZ-7162] Fixed security issue with delete child period in
EditCustomTimePeriod.
Thanks Montalbano Florian for reporting the issue and thanks Arjun Kaushal for
providing the patch.
Modified:
ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
Modified:
ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl?rev=1746820&r1=1746819&r2=1746820&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
(original)
+++
ofbiz/trunk/applications/accounting/template/period/EditCustomTimePeriod.ftl
Sat Jun 4 13:20:58 2016
@@ -60,7 +60,7 @@ under the License.
<td>${uiLabelMap.AccountingPeriodName}</td>
<td>${uiLabelMap.CommonFromDate}</td>
<td>${uiLabelMap.CommonThruDate}</td>
- <td> </td>
+ <td colspan="2"> </td>
</tr>
<tr>
<td>${currentCustomTimePeriod.customTimePeriodId}</td>
@@ -124,12 +124,16 @@ under the License.
</td>
<td class="button-col">
<input type="submit" value='${uiLabelMap.CommonUpdate}'/>
- <a
href='<@ofbizUrl>deleteCustomTimePeriod?customTimePeriodId=${currentCustomTimePeriod.customTimePeriodId}</@ofbizUrl>'>
- ${uiLabelMap.CommonDelete}</a>
+ </td>
+ </form>
+ <td class="button-col">
+ <form method="post"
action='<@ofbizUrl>deleteCustomTimePeriod</@ofbizUrl>'
name='deleteCustomTimePeriodForm'>
+ <input type="hidden" name="customTimePeriodId"
value="${currentCustomTimePeriod.customTimePeriodId!}" />
+ <input type="submit" value='${uiLabelMap.CommonDelete}'/>
+ </form>
</td>
</tr>
</table>
- </form>
<#else>
<div
class="screenlet-body">${uiLabelMap.AccountingNoCurrentCustomTimePeriodSelected}</div>
</#if>
@@ -152,7 +156,7 @@ under the License.
<td>${uiLabelMap.AccountingPeriodName}</td>
<td>${uiLabelMap.CommonFromDate}</td>
<td>${uiLabelMap.CommonThruDate}</td>
- <td> </td>
+ <td colspan="3"> </td>
</tr>
<#assign line = 0>
<#list customTimePeriods as customTimePeriod>
@@ -213,15 +217,21 @@ under the License.
<#if nowTimestamp.after(compareDate)><#assign hasExpired =
true></#if>
</#if>
<input type="text" size='13' name="thruDate"
value="${customTimePeriod.thruDate?string("yyyy-MM-dd")}"<#if hasExpired>
class="alert"</#if> />
- </td>
- <td class="button-col">
+ </td>
+ <td class="button-col">
<input type="submit" value='${uiLabelMap.CommonUpdate}'/>
- <a
href='<@ofbizUrl>deleteCustomTimePeriod?customTimePeriodId=${customTimePeriod.customTimePeriodId!}&currentCustomTimePeriodId=${currentCustomTimePeriodId!}&findOrganizationPartyId=${findOrganizationPartyId!}</@ofbizUrl>'>
- ${uiLabelMap.CommonDelete}</a>
+ </td>
+ </form>
+ <td class="button-col">
+ <form method="post"
action='<@ofbizUrl>deleteCustomTimePeriod</@ofbizUrl>' name='lineForm${line}'>
+ <input type="hidden" name="customTimePeriodId"
value="${customTimePeriod.customTimePeriodId!}" />
+ <input type="submit" value='${uiLabelMap.CommonDelete}'/>
+ </form>
+ </td>
+ <td class="button-col">
<a
href='<@ofbizUrl>EditCustomTimePeriod?currentCustomTimePeriodId=${customTimePeriod.customTimePeriodId!}&findOrganizationPartyId=${findOrganizationPartyId!}</@ofbizUrl>'>
${uiLabelMap.CommonSetAsCurrent}</a>
</td>
- </form>
</tr>
</#list>
</table>
