[jira] [Commented] (OFBIZ-7162) Delete Child Period in EditCustomTimePeriod not secure

Mon, 06 Jun 2016 01:18:49 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-7162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15316315#comment-15316315
 ] 

Montalbano Florian commented on OFBIZ-7162:
-------------------------------------------

I tested the patch for the trunk and the 15.12 version. It working fine, there 
is no error showing up (unless you count the error  "caused a violation of 
foreign key constraint 'GLACCT_HST_CTP' " which is not very user friendly but 
at least it's not a bug) and the custom time period is deleted. Well done !

I'm fetching the two other versions of OFBiz to try it out on them.



> Delete Child Period in EditCustomTimePeriod not secure
> ------------------------------------------------------
>
>                 Key: OFBIZ-7162
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7162
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: accounting
>    Affects Versions: Release Branch 13.07, Release Branch 14.12, Trunk, 
> Release Branch 15.12
>            Reporter: Montalbano Florian
>            Assignee: Pranay Pandey
>            Priority: Minor
>             Fix For: 14.12.01, 15.12.01, 13.07.04
>
>         Attachments: OFBIZ-7162-13_07.patch, OFBIZ-7162-14_12.patch, 
> OFBIZ-7162-15_12.patch, OFBIZ-7162.patch
>
>
> When deleting a Child Periods here : 
> https://localhost:8443/accounting/control/EditCustomTimePeriod . The 
> following error shows up :
> "The Following Errors Occurred:
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL 
> parameter [customTimePeriodId] passed to secure (https) request-map with uri 
> [deleteCustomTimePeriod] with an event that calls service 
> [deleteCustomTimePeriod]; this is not allowed for security reasons! The data 
> should be encrypted by making it part of the request body (a form field) 
> instead of the request URL. Moreover it would be kind if you could create a 
> Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check 
> before if a sub-task for this error does not exist). If you are not sure how 
> to create a Jira issue please have a look before at 
> http://cwiki.apache.org/confluence/x/JIB2 Thank you in advance for your help."
> I checked the sub task of OFBIZ-2330 and didn't see this one yet.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to