Re: [ofbiz-plugins] branch trunk updated: Improved: "auth" should be true for all the request url used for Application components

Mon, 16 Mar 2020 01:47:27 -0700 

Like add Billing/shipping address while  anon checkout, New customer
registration etc.

Thanks & Regards
--
Deepak Dixit
ofbiz.apache.org


On Mon, Mar 16, 2020 at 1:14 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi Deepak,
>
> Yes, I wondered about that too, but in which case/s do you think
> getAssociatedStateList can be requested w/o being authenticated?
>
> Thanks
>
> Jacques
> Le 16/03/2020 à 06:49, Deepak Dixit a écrit :
>
> Hi Jacques,
>
> I think we can't make auth true for getAssociatedStateList, this will
> break the anon checkout flow.
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org
>
>
> On Sat, Mar 14, 2020 at 1:19 PM <jler...@apache.org> wrote:
>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> jleroux pushed a commit to branch trunk
>> in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
>>
>>
>> The following commit(s) were added to refs/heads/trunk by this push:
>>      new e72e134  Improved: "auth" should be true for all the request url
>> used for Application components
>> e72e134 is described below
>>
>> commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
>> Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
>> AuthorDate: Sat Mar 14 08:49:54 2020 +0100
>>
>>     Improved: "auth" should be true for all the request url used for
>> Application
>>     components
>>
>>     (OFBIZ-4956)
>>
>>     Currently there are some URLs present in application components with
>>     auth="false". So anyone can hit these URLs and access these resources
>> without
>>     authorization.
>>
>>     I think all the URLs should be secure with auth="true"
>>
>>     Thanks: Amardeep Singh Jhajj for report and initial fix
>> ---
>>  ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> index 5f7031c..27a0383 100644
>> --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
>> @@ -1605,7 +1605,7 @@ under the License.
>>      </request-map>
>>
>>      <request-map uri="getAssociatedStateList">
>> -        <security https="true" auth="false"/>
>> +        <security https="true" auth="true"/>
>>          <event type="service" invoke="getAssociatedStateList"/>
>>          <response name="success" type="request" value="json"/>
>>          <response name="error" type="request" value="json"/>
>>
>>

Reply via email to