[jira] [Commented] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16712352#comment-16712352 ] Deepak Dixit commented on OFBIZ-10666: -- Thanks Jacques for detail description, I agree autoLogin should be removed if a user does log out. Also if the system using autoLogin then also if he wants to access profile or some other information he needs to login again. Also if the visit tracking is disabled then the system does not run the first visit event, so its good to have autoLoginCheck on preprocessor. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10488) Replace Callable objects with lambda expressions
[ https://issues.apache.org/jira/browse/OFBIZ-10488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-10488: --- Assignee: Jacques Le Roux > Replace Callable objects with lambda expressions > > > Key: OFBIZ-10488 > URL: https://issues.apache.org/jira/browse/OFBIZ-10488 > Project: OFBiz > Issue Type: Improvement >Reporter: Mathieu Lirzin >Assignee: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > Attachments: > OFBIZ-10488_Replace-Callable-objects-with-lambda-expressions.patch > > > Since Java 8 it is possible to instantiate functional interfaces (interfaces > with one non-static method) with lambda expressions instead of anonymous > classes. > The attached patch replace the creation of {{callable}} objects with lambda > expressions. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-10418) createShoppingListItem service fails
[ https://issues.apache.org/jira/browse/OFBIZ-10418?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-10418. --- Resolution: Cannot Reproduce Assignee: Jacques Le Roux Fix Version/s: Upcoming Branch It seems that OFBIZ-5157 fixed this issue. > createShoppingListItem service fails > > > Key: OFBIZ-10418 > URL: https://issues.apache.org/jira/browse/OFBIZ-10418 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Fix For: Upcoming Branch > > > This issue does not exist in R16, is reproductible locally and on demo in > trunk and R17. Here is the stack trace: > {code} > 2018-05-27 09:28:51,708 |ajp-nio-8009-exec-4 |EntityListIterator > |W| Warning: auto-closed EntityListIterator because of exception: > java.sql.SQLTransactionRollbackException: A lock could not be obtained within > the time requested > 2018-05-27 09:28:51,709 |ajp-nio-8009-exec-4 |EntityListIterator > |W| This EntityListIterator for Entity [ShoppingList] has already been > closed, not closing again. > 2018-05-27 09:28:51,709 |ajp-nio-8009-exec-4 |GenericDelegator > |E| Failure in findByCondition operation for entity [ShoppingList]: > org.apache.ofbiz.entity.GenericEntityException: Error getting the next result > (A lock could not be obtained within the time requested). Rolling back > transaction. > org.apache.ofbiz.entity.GenericEntityException: Error getting the next result > (A lock could not be obtained within the time requested) > at > org.apache.ofbiz.entity.util.EntityListIterator.getCompleteList(EntityListIterator.java:429) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.entity.GenericDelegator.findList(GenericDelegator.java:1581) > [ofbiz.jar:?] > at org.apache.ofbiz.entity.util.EntityQuery.query(EntityQuery.java:451) > [ofbiz.jar:?] > at > org.apache.ofbiz.entity.util.EntityQuery.queryList(EntityQuery.java:381) > [ofbiz.jar:?] > at > org.apache.ofbiz.entity.util.EntityQuery.queryOne(EntityQuery.java:423) > [ofbiz.jar:?] > at > org.apache.ofbiz.entity.finder.PrimaryKeyFinder.runFind(PrimaryKeyFinder.java:152) > [ofbiz.jar:?] > at > org.apache.ofbiz.entity.finder.PrimaryKeyFinder.runFind(PrimaryKeyFinder.java:87) > [ofbiz.jar:?] > at > org.apache.ofbiz.minilang.method.entityops.EntityOne.exec(EntityOne.java:58) > [ofbiz.jar:?] > at > org.apache.ofbiz.minilang.SimpleMethod.runSubOps(SimpleMethod.java:310) > [ofbiz.jar:?] > at org.apache.ofbiz.minilang.SimpleMethod.exec(SimpleMethod.java:457) > [ofbiz.jar:?] > at > org.apache.ofbiz.minilang.SimpleMethod.runSimpleMethod(SimpleMethod.java:274) > [ofbiz.jar:?] > at > org.apache.ofbiz.minilang.SimpleMethod.runSimpleService(SimpleMethod.java:293) > [ofbiz.jar:?] > at > org.apache.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:79) > [ofbiz.jar:?] > at > org.apache.ofbiz.minilang.SimpleServiceEngine.runSync(SimpleServiceEngine.java:48) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:400) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:228) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:103) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.ModelService.evalPermission(ModelService.java:1020) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.ServiceDispatcher.checkAuth(ServiceDispatcher.java:934) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:357) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:228) > [ofbiz.jar:?] > at > org.apache.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) > [ofbiz.jar:?] > at > org.apache.ofbiz.order.shoppinglist.ShoppingListEvents.addBulkFromCart(ShoppingListEvents.java:157) > [ofbiz.jar:?] > at > org.apache.ofbiz.order.shoppinglist.ShoppingListEvents.fillAutoSaveList(ShoppingListEvents.java:414) > [ofbiz.jar:?] > at > org.apache.ofbiz.order.shoppinglist.ShoppingListEvents.saveCartToAutoSaveList(ShoppingListEvents.java:432) > [ofbiz.jar:?] > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > ~[?:1.8.0_171] > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > ~[?:1.8.0_171] > at >
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711693#comment-16711693 ] Jacques Le Roux commented on OFBIZ-4361: Hi Michael, Yes I'll try > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Michael Brohl >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-10696) ConcurrentModificationException in ShoppingCart.cleanUpShipGroups
[ https://issues.apache.org/jira/browse/OFBIZ-10696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-10696. --- Resolution: Fixed Fix Version/s: 16.11.06 17.12.01 Thanks Danny, Your patch is in trunk r1848336 R17 r1848337 R16 r1848338 Actually I should have fixed that with OFBIZ-1953 (though for a different reason) but forgot :/. Also I'd like to ask for you help to test a change of my own. Could you please replace the content of the method by {code:java} public void cleanUpShipGroups() { shipInfo.removeIf(x -> x.shipItemInfo.keySet() .iterator() .next() .getQuantity() .compareTo(BigDecimal.ZERO) == 0); shipInfo.removeIf(x -> x.shipItemInfo.size() == 0); }{code} and see if you get the same result? I was not able to test it (I trust your changes are OK), so it would be very nice of you, thanks. > ConcurrentModificationException in ShoppingCart.cleanUpShipGroups > - > > Key: OFBIZ-10696 > URL: https://issues.apache.org/jira/browse/OFBIZ-10696 > Project: OFBiz > Issue Type: Bug > Components: order >Affects Versions: Trunk >Reporter: Danny Trunk >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.01, 16.11.06 > > Attachments: OFBIZ-10696.diff > > > {code:java} > java.util.ConcurrentModificationException: null > at > java.util.LinkedList$ListItr.checkForComodification(LinkedList.java:966) > ~[?:1.8.0_181] > at java.util.LinkedList$ListItr.next(LinkedList.java:888) > ~[?:1.8.0_181] > at > org.apache.ofbiz.order.shoppingcart.ShoppingCart.cleanUpShipGroups(ShoppingCart.java:2199) > ~[ofbiz.jar:?] > {code} > There's a for-loop over shipInfo and a call to clear inside this loop which > leads to a ConcurrentModificationException: > https://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppingcart/ShoppingCart.java?view=markup#l2251 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711497#comment-16711497 ] Jacques Le Roux edited comment on OFBIZ-10666 at 12/6/18 4:03 PM: -- Yes and it's based on the autologin cookie and that's where things get complicated. I cleaned the situation with the OFBIZ-4959 and OFBIZ-10635. But browsers behaviours are different. That's why The Onion wrote [this parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860]. For instance FF is snarky because [it does not delete expired cookies immediately even if you close FF|https://support.mozilla.org/fr/questions/983361]. So when you quickly look at them in the browser they are still there with a date :/. So you can't refer to FF for checking cookie values. Also there are stil some inconsistencies with current behaviour. So I double checked that in detail and here are my conclusion. I did well by setting {{autoLoginCookie.setMaxAge(0);}} in {{LoginWorker::autoLoginRemove}}. But I missed that the cookie can still be there after autoLoginRemove (which calls logout, important for the sequel). So after a logout or an autoLoginRemove, OFBiz consider it's a 1st visit and call autoLoginCheck which depends on the cookie value ("autoUserLoginId"). And set the sessionAttributes.autoName again on which the information in header depends. The autoLogin feature improves the user's experience. During a year if the user comes back s/he is logged in automatically after her/his last visit. But if the user is not the right one (for instance several users use the same machine) or if s/he decided to log out then s/he should not be logged in and her/his name should not appear on header. Here is a patch that should conform the behaviour to this "specification", please check if it's OK with you before I commit. Note that you might encounter issue if you don't start from a clean state. So better to remove the JSESSIONID cookie for the ecommerce application before starting. The idea is to have only one way to logout and autoLoginRemove should be used. Also not only rely on 1st visit processor to run autoLoginCheck but also on preprocessor. The later might be controversial but I did not find a better way to fix the current behaviour. was (Author: jacques.le.roux): Yes and it's based on the autologin cookie and that's where things get complicated. I cleaned the situation with the OFBIZ-4959 and OFBIZ-10635. But browsers behaviours are different. That's why The Onion wrote [this parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860]. For instance FF is snarky because [it does not delete expired cookies immediately even if you close FF|https://support.mozilla.org/fr/questions/983361]. So when you quickly look at them in the browser they are still there with a date :/. So you can't refer to FF for checking cookie values. Also there are stil some inconsistencies with current behaviour. So I double checked that in detail and here are my conclusion. I did well by setting {{autoLoginCookie.setMaxAge(0);}} in {{LoginWorker::autoLoginRemove}}. But I missed that the cookie can still be there after autoLoginRemove (which calls logout, important for the sequel). So after a logout or an autoLoginRemove, OFBiz consider it's a 1st visit and call autoLoginRemove which depends on the cookie value ("autoUserLoginId"). And set the sessionAttributes.autoName again on which the information in header depends. The autoLogin feature improves the user's experience. During a year if the user comes back s/he is logged in automatically after her/his last visit. But if the user is not the right one (for instance several users use the same machine) or if s/he decided to log out then s/he should not be logged in and her/his name should not appear on header. Here is a patch that should conform the behaviour to this "specification", please check if it's OK with you before I commit. Note that you might encounter issue if you don't start from a clean state. So better to remove the JSESSIONID cookie for the ecommerce application before starting. The idea is to have only one way to logout and autoLoginRemove should be used. Also not only rely on 1st visit processor to run autoLoginCheck but also on preprocessor. The later might be controversial but I did not find a better way to fix the current behaviour. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >
[jira] [Commented] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711497#comment-16711497 ] Jacques Le Roux commented on OFBIZ-10666: - Yes and it's based on the autologin cookie and that's where things get complicated. I cleaned the situation with the OFBIZ-4959 and OFBIZ-10635. But browsers behaviours are different. That's why The Onion wrote [this parody|https://www.theonion.com/after-checking-your-bank-account-remember-to-log-out-1819584860]. For instance FF is snarky because [it does not delete expired cookies immediately even if you close FF|https://support.mozilla.org/fr/questions/983361]. So when you quickly look at them in the browser they are still there with a date :/. So you can't refer to FF for checking cookie values. Also there are stil some inconsistencies with current behaviour. So I double checked that in detail and here are my conclusion. I did well by setting {{autoLoginCookie.setMaxAge(0);}} in {{LoginWorker::autoLoginRemove}}. But I missed that the cookie can still be there after autoLoginRemove (which calls logout, important for the sequel). So after a logout or an autoLoginRemove, OFBiz consider it's a 1st visit and call autoLoginRemove which depends on the cookie value ("autoUserLoginId"). And set the sessionAttributes.autoName again on which the information in header depends. The autoLogin feature improves the user's experience. During a year if the user comes back s/he is logged in automatically after her/his last visit. But if the user is not the right one (for instance several users use the same machine) or if s/he decided to log out then s/he should not be logged in and her/his name should not appear on header. Here is a patch that should conform the behaviour to this "specification", please check if it's OK with you before I commit. Note that you might encounter issue if you don't start from a clean state. So better to remove the JSESSIONID cookie for the ecommerce application before starting. The idea is to have only one way to logout and autoLoginRemove should be used. Also not only rely on 1st visit processor to run autoLoginCheck but also on preprocessor. The later might be controversial but I did not find a better way to fix the current behaviour. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10696) ConcurrentModificationException in ShoppingCart.cleanUpShipGroups
[ https://issues.apache.org/jira/browse/OFBIZ-10696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-10696: --- Assignee: Jacques Le Roux > ConcurrentModificationException in ShoppingCart.cleanUpShipGroups > - > > Key: OFBIZ-10696 > URL: https://issues.apache.org/jira/browse/OFBIZ-10696 > Project: OFBiz > Issue Type: Bug > Components: order >Affects Versions: Trunk >Reporter: Danny Trunk >Assignee: Jacques Le Roux >Priority: Major > Attachments: OFBIZ-10696.diff > > > {code:java} > java.util.ConcurrentModificationException: null > at > java.util.LinkedList$ListItr.checkForComodification(LinkedList.java:966) > ~[?:1.8.0_181] > at java.util.LinkedList$ListItr.next(LinkedList.java:888) > ~[?:1.8.0_181] > at > org.apache.ofbiz.order.shoppingcart.ShoppingCart.cleanUpShipGroups(ShoppingCart.java:2199) > ~[ofbiz.jar:?] > {code} > There's a for-loop over shipInfo and a call to clear inside this loop which > leads to a ConcurrentModificationException: > https://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppingcart/ShoppingCart.java?view=markup#l2251 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10666: Attachment: OFBIZ-10666.patch > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png, OFBIZ-10666.patch > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10696) ConcurrentModificationException in ShoppingCart.cleanUpShipGroups
[ https://issues.apache.org/jira/browse/OFBIZ-10696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Danny Trunk updated OFBIZ-10696: Attachment: OFBIZ-10696.diff > ConcurrentModificationException in ShoppingCart.cleanUpShipGroups > - > > Key: OFBIZ-10696 > URL: https://issues.apache.org/jira/browse/OFBIZ-10696 > Project: OFBiz > Issue Type: Bug > Components: order >Affects Versions: Trunk >Reporter: Danny Trunk >Priority: Major > Attachments: OFBIZ-10696.diff > > > {code:java} > java.util.ConcurrentModificationException: null > at > java.util.LinkedList$ListItr.checkForComodification(LinkedList.java:966) > ~[?:1.8.0_181] > at java.util.LinkedList$ListItr.next(LinkedList.java:888) > ~[?:1.8.0_181] > at > org.apache.ofbiz.order.shoppingcart.ShoppingCart.cleanUpShipGroups(ShoppingCart.java:2199) > ~[ofbiz.jar:?] > {code} > There's a for-loop over shipInfo and a call to clear inside this loop which > leads to a ConcurrentModificationException: > https://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppingcart/ShoppingCart.java?view=markup#l2251 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711245#comment-16711245 ] Deepak Dixit commented on OFBIZ-10666: -- This is due to autoLogin feature, it's not a bug instead it's a feature, we can say its soft login or autologin. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711208#comment-16711208 ] Arpit Mor commented on OFBIZ-10666: --- Hi Jacques, "Not you" link does not work even when you click on it before logging out. If a user is logged in and he clicks on "Not you" link then the user does get logged out which is working as expected but the issue here is that the name of user is still displayed after the user is logged out by clicking on "Not you" IMO if the issue where the name of the user is displayed after he logs out is resolved then the issue with "Not you" link will also be resolved > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711177#comment-16711177 ] Michael Brohl commented on OFBIZ-4361: -- Hi [~jacques.le.roux], [~soledad], any chance to review the patch in the coming days? This is already productive in one of our projects and I think it can be committed. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Michael Brohl >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16711163#comment-16711163 ] Jacques Le Roux commented on OFBIZ-10666: - If you click on the "Not you" link before loggin out it works, but not after having clicked on the loggin out link, which does not work. I think I know why and will fix that soon. > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-10696) ConcurrentModificationException in ShoppingCart.cleanUpShipGroups
Danny Trunk created OFBIZ-10696: --- Summary: ConcurrentModificationException in ShoppingCart.cleanUpShipGroups Key: OFBIZ-10696 URL: https://issues.apache.org/jira/browse/OFBIZ-10696 Project: OFBiz Issue Type: Bug Components: order Affects Versions: Trunk Reporter: Danny Trunk {code:java} java.util.ConcurrentModificationException: null at java.util.LinkedList$ListItr.checkForComodification(LinkedList.java:966) ~[?:1.8.0_181] at java.util.LinkedList$ListItr.next(LinkedList.java:888) ~[?:1.8.0_181] at org.apache.ofbiz.order.shoppingcart.ShoppingCart.cleanUpShipGroups(ShoppingCart.java:2199) ~[ofbiz.jar:?] {code} There's a for-loop over shipInfo and a call to clear inside this loop which leads to a ConcurrentModificationException: https://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/order/src/main/java/org/apache/ofbiz/order/shoppingcart/ShoppingCart.java?view=markup#l2251 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10666) User's name is displayed on ecommerce even after user logs out
[ https://issues.apache.org/jira/browse/OFBIZ-10666?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-10666: --- Assignee: Jacques Le Roux (was: Garima jain) > User's name is displayed on ecommerce even after user logs out > -- > > Key: OFBIZ-10666 > URL: https://issues.apache.org/jira/browse/OFBIZ-10666 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Arpit Mor >Assignee: Jacques Le Roux >Priority: Major > Attachments: 1-OpenURL.png, 2-LoggedIn.png, 3-LoggedOut.png, > 4-NotYou.png > > > Steps to regenerate: > # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main]. > Welcome is displayed and user's name is not displayed when URL is opened. > (Please refer attachment: 1-OpenURL) > # Login at ecommerce by clicking on login and entering Username: "admin" and > Password: "ofbiz". Username will be displayed after user logs in. (Please > refer attachment: 2-LoggedIn) > # Logout of ecommerce by clicking on logout. User will be logged out and > login link will be displayed in place of logout link, but the name of user is > still displayed. (Please refer attachment: 3-LoggedOut) > Actual: Username is still displayed after user logs out > > Expected: Username should not be displayed after the user logs out > > Note: Similar issue also exists when the user clicks on (Not You? Click Here) > link. (Please refer attachment: 4-NotYou) -- This message was sent by Atlassian JIRA (v7.6.3#76005)