[jira] [Commented] (OFBIZ-4310) Conversion for complex-alias needs to be implemented
[
https://issues.apache.org/jira/browse/OFBIZ-4310?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608728#comment-16608728
]
Deepak Nigam commented on OFBIZ-4310:
-
Using trunk and getting following warnings on the console:
2018-09-10 10:13:06,787 |delegator-startup-2 |ModelViewEntity |W|
[TestingCryptoRawView]: Conversion for complex-alias needs to be implemented
for cache and in-memory eval stuff to work correctly, will not work for alias:
rawEncryptedValue
2018-09-10 10:13:06,788 |delegator-startup-2 |ModelViewEntity |W|
[TestingCryptoRawView]: Conversion for complex-alias needs to be implemented
for cache and in-memory eval stuff to work correctly, will not work for alias:
rawSaltedEncryptedValue
2018-09-10 10:13:06,884 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByItem]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOrdered
2018-09-10 10:13:06,885 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByItem]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOpen
2018-09-10 10:13:06,885 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByProduct]: Conversion for complex-alias needs to
be implemented for cache and in-memory eval stuff to work correctly, will not
work for alias: quantityOrdered
2018-09-10 10:13:06,885 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemQuantityReportGroupByProduct]: Conversion for complex-alias needs to
be implemented for cache and in-memory eval stuff to work correctly, will not
work for alias: quantityOpen
2018-09-10 10:13:06,892 |delegator-startup-2 |ModelViewEntity |W|
[OrderReportSalesGroupByProduct]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOrdered
2018-09-10 10:13:06,892 |delegator-startup-2 |ModelViewEntity |W|
[OrderReportSalesGroupByProduct]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: amount
2018-09-10 10:13:06,895 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemAndShipGrpInvResAndItemSum]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: quantityOrdered
2018-09-10 10:13:06,895 |delegator-startup-2 |ModelViewEntity |W|
[OrderItemAndShipGrpInvResAndItemSum]: Conversion for complex-alias needs to be
implemented for cache and in-memory eval stuff to work correctly, will not work
for alias: totQuantityAvailable
> Conversion for complex-alias needs to be implemented
> -
>
> Key: OFBIZ-4310
> URL: https://issues.apache.org/jira/browse/OFBIZ-4310
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Release 4.0, Trunk
>Reporter: Jacques Le Roux
>Assignee: Adam Heath
>Priority: Minor
>
> There is a TODO in ModelViewEntity.populateReverseLinks()
> // TODO: conversion for complex-alias needs to be implemented for cache and
> in-memory eval stuff to work correctly
> This throws WARNING at OFBiz startup:
> {code}
> 2011-05-27 13:23:53,161 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,169 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderReportSalesGroupByProduct
> 2011-05-27 13:23:53,176 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias
[jira] [Assigned] (OFBIZ-4310) Conversion for complex-alias needs to be implemented
[
https://issues.apache.org/jira/browse/OFBIZ-4310?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Deepak Nigam reassigned OFBIZ-4310:
---
Assignee: Deepak Nigam (was: Adam Heath)
> Conversion for complex-alias needs to be implemented
> -
>
> Key: OFBIZ-4310
> URL: https://issues.apache.org/jira/browse/OFBIZ-4310
> Project: OFBiz
> Issue Type: New Feature
> Components: framework
>Affects Versions: Release 4.0, Trunk
>Reporter: Jacques Le Roux
>Assignee: Deepak Nigam
>Priority: Minor
>
> There is a TODO in ModelViewEntity.populateReverseLinks()
> // TODO: conversion for complex-alias needs to be implemented for cache and
> in-memory eval stuff to work correctly
> This throws WARNING at OFBiz startup:
> {code}
> 2011-05-27 13:23:53,161 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByItem
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,162 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOpen of
> view-entity OrderItemQuantityReportGroupByProduct
> 2011-05-27 13:23:53,169 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderReportSalesGroupByProduct
> 2011-05-27 13:23:53,176 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: quantityOrdered of
> view-entity OrderItemAndShipGrpInvResAndItemSum
> 2011-05-27 13:23:53,176 (main) [ModelViewEntity.java:538:WARN ]
> Conversion for complex-alias needs to be implemented for cache and in-memory
> eval stuff to work correctly, will not work for alias: totQuantityAvailable
> of view-entity OrderItemAndShipGrpInvResAndItemSum
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10262) Add Document Content: hr-performance-review.adoc
[ https://issues.apache.org/jira/browse/OFBIZ-10262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608452#comment-16608452 ] Sharan Foga commented on OFBIZ-10262: - HI [~swapnilmmane], thanks for the update and yes I think this is a good direction to take. I don't think we need to include details about fields and field validation at this stage as it's too much information to be useful at this stage. The high level outline is good for someone wanting to get a basic understanding of what it is and how to use it. Later when we do the individual online help screens then maybe we could incorporate details about the fields etc. Another thing I thought about is that after we have done the main outlines of each guide then where it say things like 'Create Performance Review' or 'Delete Performance Review Item' we could make those into links to other documents that contain the steps for doing those actual tasks. But I think the main focus will be about getting all the high level documentation for as many modules as possible done. :) > Add Document Content: hr-performance-review.adoc > > > Key: OFBIZ-10262 > URL: https://issues.apache.org/jira/browse/OFBIZ-10262 > Project: OFBiz > Issue Type: Sub-task >Reporter: Sharan Foga >Assignee: Swapnil M Mane >Priority: Minor > Attachments: hr-performance-review.adoc > > > Using details from the OFBiz wiki workspaces and the Human Resources Guide > and other human resources asciidoc file, write or organise the content for > the hr-performance-review.adoc file. > A copy of the existing file will be attached. Please write document content > for hr-performance-review.adoc by updating the template then re-attach the > updated document to this issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10262) Add Document Content: hr-performance-review.adoc
[ https://issues.apache.org/jira/browse/OFBIZ-10262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sharan Foga updated OFBIZ-10262: Attachment: (was: hr-performance-review.adoc) > Add Document Content: hr-performance-review.adoc > > > Key: OFBIZ-10262 > URL: https://issues.apache.org/jira/browse/OFBIZ-10262 > Project: OFBiz > Issue Type: Sub-task >Reporter: Sharan Foga >Assignee: Swapnil M Mane >Priority: Minor > Attachments: hr-performance-review.adoc > > > Using details from the OFBiz wiki workspaces and the Human Resources Guide > and other human resources asciidoc file, write or organise the content for > the hr-performance-review.adoc file. > A copy of the existing file will be attached. Please write document content > for hr-performance-review.adoc by updating the template then re-attach the > updated document to this issue. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10427) Add a mean to handle CSRF
[
https://issues.apache.org/jira/browse/OFBIZ-10427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608439#comment-16608439
]
Jacques Le Roux commented on OFBIZ-10427:
-
Hi Girish,
I did not review nor tested yet. It's indeed a way to go.
The others so far being made by Gregory in the security ML. I completly missed
to put them in [my answer in dev ML|https://s.apache.org/XPhR] with my answers
to Gregory's suggestion then (3 months ago, on a related subject including
CSRF). Here they are:
{quote}> So to do that, I recommend to perform a SHA512 of the user's session
(as it is unpredictable) and then you pass this value in the body request. Then
the application checks it is okay by hashing the session value and and compare
with the value that has been passed.
{quote}
That's an idea, I'll get deeper in this. Because I believe Tomcat CSRF filter
is too limited for our use in OFBiz
{quote}> Maybe through Java Aspect? I don't know if it supported?
{quote}
We don't use Java Aspect (yet). Anyway I'll consider it also beside building
our own filter.
I must add that maybe subclassing the Tomcat filter is easier, better, etc. We
have to compare both solutions and if needed discuss them again in dev ML.
Since we already began to discuss there, at this stage I think we can start
here :)
> Add a mean to handle CSRF
> -
>
> Key: OFBIZ-10427
> URL: https://issues.apache.org/jira/browse/OFBIZ-10427
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Minor
> Attachments: webtools_web.xml.patch
>
>
> I already worked on that in OFBiz but without success so far:
> https://markmail.org/message/r245yie623cdo3wz)
> The tracks I explored are:
> * https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project (really
> not simple in OFBiz)
> *
> https://tomcat.apache.org/tomcat-8.5-doc/config/filter.html#CSRF_Prevention_Filter/Introduction
> (I think preferred)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608411#comment-16608411 ] Michael Brohl commented on OFBIZ-4361: -- Hi [~soledad], sorry for the late reply and delay with this issue. We are currently over-occupied with projects so it might take some time to prepare everything. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Release Branch 11.04, Trunk > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Michael Brohl >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10554) Trunk - Ecommerce - Product Content "Add Additional Images" broken
[ https://issues.apache.org/jira/browse/OFBIZ-10554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608399#comment-16608399 ] Jacques Le Roux commented on OFBIZ-10554: - Hi Sebastian, It's not related to ecommerce, but product component. Also I don't reproduce locally nor trunk demo. Are you sure there are no changes you did yesterday on trunk demo that could have an impact? They are wiped everyday (fresh restart up to date) > Trunk - Ecommerce - Product Content "Add Additional Images" broken > -- > > Key: OFBIZ-10554 > URL: https://issues.apache.org/jira/browse/OFBIZ-10554 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Priority: Major > > Using "Add Additional Images" fails with a NullPointerException on the trunk > demo > [https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000|https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1004] > (same on my local installation). > On the stable demo this works > [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000] > (same on my respective local installation). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-10554) Trunk - Ecommerce - Product Content "Add Additional Images" broken
[ https://issues.apache.org/jira/browse/OFBIZ-10554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-10554. --- Resolution: Cannot Reproduce Assignee: Jacques Le Roux Please reopen if you need, thanks > Trunk - Ecommerce - Product Content "Add Additional Images" broken > -- > > Key: OFBIZ-10554 > URL: https://issues.apache.org/jira/browse/OFBIZ-10554 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Assignee: Jacques Le Roux >Priority: Major > > Using "Add Additional Images" fails with a NullPointerException on the trunk > demo > [https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000|https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1004] > (same on my local installation). > On the stable demo this works > [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000] > (same on my respective local installation). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10554) Trunk - Ecommerce - Product Content "Add Additional Images" broken
[ https://issues.apache.org/jira/browse/OFBIZ-10554?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10554: Component/s: (was: ecommerce) product > Trunk - Ecommerce - Product Content "Add Additional Images" broken > -- > > Key: OFBIZ-10554 > URL: https://issues.apache.org/jira/browse/OFBIZ-10554 > Project: OFBiz > Issue Type: Bug > Components: product >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Priority: Major > > Using "Add Additional Images" fails with a NullPointerException on the trunk > demo > [https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000|https://demo-trunk.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1004] > (same on my local installation). > On the stable demo this works > [https://demo-stable.ofbiz.apache.org/catalog/control/EditProductContent?productId=GZ-1000] > (same on my respective local installation). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux reassigned OFBIZ-10187:
---
Assignee: (was: Jacques Le Roux)
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: 16.11.04
>Reporter: Michael Brohl
>Priority: Critical
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-9664) OFBiz 16 migration - HTML content filtered
[ https://issues.apache.org/jira/browse/OFBIZ-9664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608363#comment-16608363 ] Jacques Le Roux commented on OFBIZ-9664: Thanks Sebastian, I'll just add that people should be carefull with this workaround. Because it removes some security in all other parts where sanitizer.permissive.policy is used, ie where HtmlEncoder::sanitize is used. I explained it a bit more in OFBIZ-10187 > OFBiz 16 migration - HTML content filtered > --- > > Key: OFBIZ-9664 > URL: https://issues.apache.org/jira/browse/OFBIZ-9664 > Project: OFBiz > Issue Type: Bug > Components: content, ecommerce >Affects Versions: 16.11.03 >Reporter: Sebastian Wachinger >Priority: Minor > Fix For: Trunk, 16.11.05 > > > Perhaps this is no bug, but a new feature: After migrating to OFBiz 16, > content of type "Long Text" containing HTML is now displayed in the ecommerce > shop frontend with certain attributes deleted, e.g. "class" and "id". Is > there a config file to allow those attributes to be displayed? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-9664) OFBiz 16 migration - HTML content filtered
[
https://issues.apache.org/jira/browse/OFBIZ-9664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16608271#comment-16608271
]
Jacques Le Roux edited comment on OFBIZ-9664 at 9/9/18 6:52 AM:
The solution/workaround for this issue is: Set
{{sanitizer.permissive.policy=true}} in
{{framework/base/config/owasp.properties}}
See also OFBIZ-6669 and OFBIZ-10187
was (Author: komdata):
The solution/workaround for this issue is: Set
{{sanitizer.permissive.policy=true}} in
{{framework/base/config/owasp.properties}}
See also [OFBIZ-6669|https://issues.apache.org/jira/browse/OFBIZ-6669] and
[OFBIZ-10187|https://issues.apache.org/jira/browse/OFBIZ-10187]
> OFBiz 16 migration - HTML content filtered
> ---
>
> Key: OFBIZ-9664
> URL: https://issues.apache.org/jira/browse/OFBIZ-9664
> Project: OFBiz
> Issue Type: Bug
> Components: content, ecommerce
>Affects Versions: 16.11.03
>Reporter: Sebastian Wachinger
>Priority: Minor
> Fix For: Trunk, 16.11.05
>
>
> Perhaps this is no bug, but a new feature: After migrating to OFBiz 16,
> content of type "Long Text" containing HTML is now displayed in the ecommerce
> shop frontend with certain attributes deleted, e.g. "class" and "id". Is
> there a config file to allow those attributes to be displayed?
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
