[ https://issues.apache.org/jira/browse/OFBIZ-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16964197#comment-16964197 ]
Jacques Le Roux commented on OFBIZ-9804: ---------------------------------------- I had a look and we should go another way. I 1st thought that we should use a form rather than query parameters as here. But then I found that Hans who initiated contactlist emails, ie {quote} ContactListEmailTemplate.ftl ContactListSubscribeEmail.ftl ContactListUnsubscribeEmail.ftl ContactListUnsubscribeVerifyEmail.ftl ContactListVerifyEmail.ftl {quote} changed back from forms to query parameters in URLs (but for ContactListEmailTemplate.ftl that I think he forgot) in [r1150558|http://svn.apache.org/viewvc?view=revision&revision=1150558] because bq. "change from forms to url's because forms not always work with several email clients." [I then read more about it|https://www.google.com/search?q=forms+in+email+client&ie=UTF-8] and found that it's better to have a link (w/o qyery parameters) to a form on the server. So I'll redo all that... > Link in verification email for Newsletter gives security error > -------------------------------------------------------------- > > Key: OFBIZ-9804 > URL: https://issues.apache.org/jira/browse/OFBIZ-9804 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce > Affects Versions: Trunk, Release Branch 16.11 > Reporter: Aditya Sharma > Assignee: Jacques Le Roux > Priority: Major > Attachments: screenshot-1.png > > > Steps to generate: > 1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main > 2. In "Sign Up For Contact List" panel from the left menu, select Newsletter, > provide email and click on subscribe button.(Here you should have email > configuration to receive email) > 3. Click on the verification link in the email. > It gives following error message > {quote}The Following Errors Occurred: > Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException: > Found URL parameter [contactListId] passed to secure (https) request-map with > uri [updateContactListPartyNoUserLogin] with an event that calls service > [updateContactListPartyNoUserLogin]; this is not allowed for security > reasons! The data should be encrypted by making it part of the request body > (a form field) instead of the request URL. Moreover it would be kind if you > could create a Jira sub-task of > https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task > for this error does not exist). If you are not sure how to create a Jira > issue please have a look before at > https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices > Thank you in advance for your help.{quote} > Try with the trunk link: > https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010 > Stable 16 link: > https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010 -- This message was sent by Atlassian Jira (v8.3.4#803005)