This is an automated email from the ASF dual-hosted git repository.
jacopoc pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new cdab637f7 Improved: Remove unnecessary permissions and comment-out
code in ecommerce templates and controller for better security and
maintainability.
cdab637f7 is described below
commit cdab637f70c9de06f5bc2e27066d94a3c57bfef6
Author: Jacopo Cappellato <[email protected]>
AuthorDate: Wed Mar 4 10:57:27 2026 +0100
Improved: Remove unnecessary permissions and comment-out code in ecommerce
templates and controller for better security and maintainability.
---
ecommerce/data/EcommerceSecurityData.xml | 2 --
ecommerce/template/content/RecentlyViewed.ftl | 2 ++
ecommerce/template/content/ShowContentTree.ftl | 5 ++++-
ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 12 +++++++++++-
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/ecommerce/data/EcommerceSecurityData.xml
b/ecommerce/data/EcommerceSecurityData.xml
index 7a68947d7..08596ccf5 100644
--- a/ecommerce/data/EcommerceSecurityData.xml
+++ b/ecommerce/data/EcommerceSecurityData.xml
@@ -19,6 +19,4 @@ under the License.
-->
<entity-engine-xml>
<SecurityGroup description="Customer user of ECOMMERCE Limited access to
own account" groupId="ECOMMERCE_CUSTOMER"/>
- <SecurityGroupPermission fromDate="2001-05-13 12:00:00.0"
groupId="ECOMMERCE_CUSTOMER" permissionId="CONTENTMGR_ROLE_CREATE"/>
- <SecurityGroupPermission fromDate="2001-05-13 12:00:00.0"
groupId="ECOMMERCE_CUSTOMER" permissionId="CONTENTMGR_ROLE_UPDATE"/>
</entity-engine-xml>
diff --git a/ecommerce/template/content/RecentlyViewed.ftl
b/ecommerce/template/content/RecentlyViewed.ftl
index 3e3b11d8c..f70f09cd1 100644
--- a/ecommerce/template/content/RecentlyViewed.ftl
+++ b/ecommerce/template/content/RecentlyViewed.ftl
@@ -28,9 +28,11 @@ under the License.
<div class="screenlet-body">
<#list mrvList as mrvArr>
<div class="browsecategorytext">
+ <#--
<a href="<@ofbizUrl>viewcontent?contentId=${mrvArr[0]}</@ofbizUrl>"
class="browsecategorybutton">
${mrvArr[1]}
</a>
+ -->
</div>
</#list>
</div>
diff --git a/ecommerce/template/content/ShowContentTree.ftl
b/ecommerce/template/content/ShowContentTree.ftl
index ae51ce6c4..45383469d 100644
--- a/ecommerce/template/content/ShowContentTree.ftl
+++ b/ecommerce/template/content/ShowContentTree.ftl
@@ -95,10 +95,13 @@ under the License.
<#assign dummy=Static["org.apache.ofbiz.base.util.Debug"]
.logInfo("in showcontenttree, nodeTrailCsv(1):" + nodeTrailCsv, "")/>
<#local thisCsv=thisNodeTrailCsv + "," + subContentId />
+ <#--
<a class="tabButton"
href="<@ofbizUrl>viewcontent?contentId=${subContentId!}&nodeTrailCsv=${thisCsv}</@ofbizUrl>">
${uiLabelMap.CommonView}
- </a> ${content.description!}
+ </a>
+ -->
+ ${content.description!}
<br/>
</@loopSubContent>
diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 2a0f67fd8..2ca419326 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1359,13 +1359,17 @@ under the License.
<response name="error" type="view" value="AddForumThread"/>
</request-map>
+ <!--
+ TODO: persistContentAndAssoc is not safe to call on untrusted input,
+ need to add a service that only updates the content and associations
+ we want to allow updated for forum messages and call that instead
<request-map uri="updateForumMessage">
<security https="true" auth="true"/>
<event type="service" invoke="persistContentAndAssoc"/>
<response name="success" type="view" value="Showforum"/>
<response name="error" type="view" value="AddForumThread"/>
</request-map>
-
+ -->
<!-- used in blog -->
<request-map uri="MainBlog">
@@ -1453,10 +1457,12 @@ under the License.
<security https="true" auth="false"/>
<response name="success" type="view" value="showcontenttree"/>
</request-map>
+ <!--
<request-map uri="viewcontent">
<security https="true" auth="false"/>
<response name="success" type="view" value="viewcontent"/>
</request-map>
+ -->
<request-map uri="img">
<security auth="false" https="false"/>
<event type="java" path="org.apache.ofbiz.content.data.DataEvents"
invoke="serveImage"/>
@@ -1828,6 +1834,7 @@ under the License.
<response name="error" type="view" value="main"/>
</request-map>
+ <!--
<request-map uri="stream">
<security https="true" auth="true"/>
<event type="java" path="org.apache.ofbiz.content.data.DataEvents"
invoke="serveObjectData"/>
@@ -1835,6 +1842,7 @@ under the License.
<response name="error" type="view" value="error"/>
<response name="io-error" type="none"/>
</request-map>
+ -->
<request-map uri="showShoppingList">
<security https="false" auth="false"/>
@@ -1962,7 +1970,9 @@ under the License.
<!-- Content Views -->
<view-map name="defaultcontent" type="screen"
page="component://ecommerce/widget/ContentScreens.xml#defaultcontent"
auth="false"/>
<view-map name="showcontenttree" type="screen"
page="component://ecommerce/widget/ContentScreens.xml#showcontenttree"
auth="false"/>
+ <!--
<view-map name="viewcontent" type="screen"
page="component://ecommerce/widget/ContentScreens.xml#viewcontent"
auth="false"/>
+ -->
<view-map name="searchContent" type="screen"
page="component://ecommerce/widget/ContentScreens.xml#searchContent"
auth="false"/>
<!-- Forum Views -->
