[jira] [Commented] (OFBIZ-11329) setUserTimeZone should use Get rather than POST

Jacques Le Roux (Jira) Wed, 29 Jan 2020 04:40:09 -0800


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17025839#comment-17025839
 ]


Jacques Le Roux commented on OFBIZ-11329:
-----------------------------------------

Hi James,

You are right, and it's a bit more complicated than that. Because starting from 
a clean state (nothing in sessionStorage) setting the method to SET and getting 
to https://localhost:8443/catalog/control/main gives me this in log:

{noformat}
2020-01-29 11:19:47,800 |jsse-nio-8443-exec-7 |ControlServlet                
|T| [[[catalog::main (Domain:https://localhost)] Request Begun, 
encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2020-01-29 11:19:47,863 |jsse-nio-8443-exec-7 |ConfigXMLReader               
|I| controller loaded: 0.0s, 0 requests, 0 views in 
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/handlers-controller.xml
2020-01-29 11:19:47,863 |jsse-nio-8443-exec-7 |ConfigXMLReader               
|I| controller loaded: 0.018s, 49 requests, 21 views in 
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/common-controller.xml
2020-01-29 11:19:47,881 |jsse-nio-8443-exec-7 |ConfigXMLReader               
|I| controller loaded: 0.0s, 26 requests, 10 views in 
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/WEB-INF/portal-controller.xml
2020-01-29 11:19:47,898 |jsse-nio-8443-exec-7 |ConfigXMLReader               
|I| controller loaded: 0.0s, 4 requests, 0 views in 
file:/C:/projectsASF/Git/ofbiz-framework/applications/commonext/webapp/WEB-INF/controller.xml
2020-01-29 11:19:47,903 |jsse-nio-8443-exec-7 |ConfigXMLReader               
|I| controller loaded: 0.077s, 539 requests, 178 views in 
file:/C:/projectsASF/Git/ofbiz-framework/applications/product/webapp/catalog/WEB-INF/controller.xml
2020-01-29 11:19:47,907 |jsse-nio-8443-exec-7 |RequestHandler                
|I| Rendering View [login].  Hidden sessionId by default.
2020-01-29 11:19:47,917 |jsse-nio-8443-exec-7 |ScreenFactory                 
|I| Got 26 screens in 0.006s from: 
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/widget/CommonScreens.xml
2020-01-29 11:19:48,094 |jsse-nio-8443-exec-7 |ScreenFactory                 
|I| Got 25 screens in 0.007s from: 
file:/C:/projectsASF/Git/ofbiz-framework/themes/common-theme/widget/CommonScreens.xml
2020-01-29 11:19:48,101 |jsse-nio-8443-exec-7 |ScreenFactory                 
|I| Got 16 screens in 0.007s from: 
file:/C:/projectsASF/Git/ofbiz-framework/applications/product/widget/catalog/CommonScreens.xml
2020-01-29 11:19:48,108 |jsse-nio-8443-exec-7 |ScreenFactory                 
|I| Got 1 screens in 0.006s from: 
file:/C:/projectsASF/Git/ofbiz-framework/applications/commonext/widget/CommonScreens.xml
2020-01-29 11:19:48,108 |jsse-nio-8443-exec-7 |PrimaryKeyFinder              
|I| Returning null because found incomplete primary key in find: 
[GenericEntity:PartyNameView][partyId,null()]
2020-01-29 11:19:48,189 |jsse-nio-8443-exec-7 |ServiceDispatcher             
|T| Sync service [catalog/getLastSystemInfoNote] finished in [11] milliseconds
2020-01-29 11:19:48,219 |jsse-nio-8443-exec-7 |ServerHitBin                  
|I| Visit delegatorName=default, ServerHitBin delegatorName=default
2020-01-29 11:19:48,220 |jsse-nio-8443-exec-7 |ControlServlet                
|T| [[[catalog::main (Domain:https://localhost)] Request Done- total:0.42,since 
last([catalog::main (D...):0.42]]
2020-01-29 11:19:52,168 |jsse-nio-8443-exec-8 |ControlServlet                
|T| [[[catalog::SetTimeZoneFromBrowser (Domain:https://localhost)] Request 
Begun, encoding=[UTF-8]- total:0.0,since last(Begin):0.0]]
2020-01-29 11:19:52,202 |jsse-nio-8443-exec-8 |ControlServlet                
|I| Going to external page: /SetTimeZoneFromBrowser
2020-01-29 11:19:52,202 |jsse-nio-8443-exec-8 |ControlServlet                
|E| An error occurred, going to the errorPage: 
file:/C:/projectsASF/Git/ofbiz-framework/framework/common/webcommon/error/Error.ftl
2020-01-29 11:19:52,219 |jsse-nio-8443-exec-8 |ServerHitBin                  
|I| Visit delegatorName=default, ServerHitBin delegatorName=default
2020-01-29 11:19:52,221 |jsse-nio-8443-exec-8 |ControlServlet                
|T| [[[catalog::SetTimeZoneFromBrowser (Domain:https://localhost)] Request 
Done- total:0.052,since last([catalog::SetTime...):0.052]]
{noformat}

I thought it was OK. But actually this is before signing in. So there is no 
userLogin to store the lastTimeZone field SetTimeZoneFromBrowser.groovy. So 
it's wrong for this reason. Because lastTimeZone will never be stored in 
userLogin since it's bypassed once SetTimeZoneFromBrowser as been set to "done" 
in sessionStorage. I need to find another solution, because when we use POST as 
reported in OFBIZ-11306 we have :

bq. SetTimeZoneFromBrowser when starting: 
org.apache.ofbiz.webapp.control.RequestHandlerException: Invalid or missing 
CSRF token for AJAX call to path '/SetTimeZoneFromBrowser'. Also not only when 
starting.


> setUserTimeZone should use Get rather than POST
> -----------------------------------------------
>
>                 Key: OFBIZ-11329
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11329
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework, webpos
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Minor
>
> This will be useful when committing CSRF solution as explained in OFBIZ-11306



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (OFBIZ-11329) setUserTimeZone should use Get rather than POST

Reply via email to