Fwd: Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

Mon, 16 Mar 2020 01:23:22 -0700 


Hi Deepak,

Yes, I wondered about that too, but in which case/s do you think 
getAssociatedStateList can be requested w/o being authenticated?

Thanks

Jacques

Le 16/03/2020 à 06:49, Deepak Dixit a écrit :

Hi Jacques,

I think we can't make auth true for getAssociatedStateList, this will break the 
anon checkout flow.

Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org <http://ofbiz.apache.org>


On Sat, Mar 14, 2020 at 1:19 PM <jler...@apache.org 
<mailto:jler...@apache.org>> wrote:

    This is an automated email from the ASF dual-hosted git repository.

    jleroux pushed a commit to branch trunk
    in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


    The following commit(s) were added to refs/heads/trunk by this push:
         new e72e134  Improved: "auth" should be true for all the request url 
used for Application components
    e72e134 is described below

    commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
    Author: Jacques Le Roux <jacques.le.r...@les7arts.com 
<mailto:jacques.le.r...@les7arts.com>>
    AuthorDate: Sat Mar 14 08:49:54 2020 +0100

        Improved: "auth" should be true for all the request url used for 
Application
        components

        (OFBIZ-4956)

        Currently there are some URLs present in application components with
        auth="false". So anyone can hit these URLs and access these resources 
without
        authorization.

        I think all the URLs should be secure with auth="true"

        Thanks: Amardeep Singh Jhajj for report and initial fix
    ---
     ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)

    diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml 
b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
    index 5f7031c..27a0383 100644
    --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
    +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
    @@ -1605,7 +1605,7 @@ under the License.
         </request-map>

         <request-map uri="getAssociatedStateList">
    -        <security https="true" auth="false"/>
    +        <security https="true" auth="true"/>
             <event type="service" invoke="getAssociatedStateList"/>
             <response name="success" type="request" value="json"/>
             <response name="error" type="request" value="json"/>

Reply via email to