[jira] [Created] (OFBIZ-12567) FinAccount Screen shows create trigger to user with VIEW permission
Pierre Smits created OFBIZ-12567: Summary: FinAccount Screen shows create trigger to user with VIEW permission Key: OFBIZ-12567 URL: https://issues.apache.org/jira/browse/OFBIZ-12567 Project: OFBiz Issue Type: Improvement Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits When accessing [https://localhost:8443/accounting/control/EditFinAccount?finAccountId=ABN_CHECKING] as a user with only VIEW permissions (e.g. userid=auditor) the screen shows a action trigger to create something. This should not be visible to such a user as it leads to a undesired effect and diminished user experience. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (OFBIZ-12566) Screen FinAccountMain shows create trigger to user with VIEW permissions
Pierre Smits created OFBIZ-12566: Summary: Screen FinAccountMain shows create trigger to user with VIEW permissions Key: OFBIZ-12566 URL: https://issues.apache.org/jira/browse/OFBIZ-12566 Project: OFBiz Issue Type: Improvement Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits When accessing [https://localhost:8443/accounting/control/FinAccountMain] as a user with only ViEW permissions (e.g. userId=auditor) an action trigger to create something is shown. This should not be visible to such a user as it leads to a undesired effect and diminished user experience. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (OFBIZ-12565) Billing Account Payments - VIEW permissions
Pierre Smits created OFBIZ-12565: Summary: Billing Account Payments - VIEW permissions Key: OFBIZ-12565 URL: https://issues.apache.org/jira/browse/OFBIZ-12565 Project: OFBiz Issue Type: Improvement Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits When accessing [https://localhost:8443/accounting/control/BillingAccountPayments?billingAccountId=9010] as a user with only VIEW permissions (e.g. userid=auditor), the screen shows a form to create a payment. This should not be visible to such a user as it leads to a undesired effect and diminished user experience. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (OFBIZ-12564) Edit Billing Account screen shows create trigger to user with VIEW permission
Pierre Smits created OFBIZ-12564: Summary: Edit Billing Account screen shows create trigger to user with VIEW permission Key: OFBIZ-12564 URL: https://issues.apache.org/jira/browse/OFBIZ-12564 Project: OFBiz Issue Type: Improvement Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits When accessing [https://localhost:8443/accounting/control/EditBillingAccount?billingAccountId=9010] as a user with only VIEW permissions (e.g. userid=auditor), the screen shows an action trigger to create something.. This should not be visible to such a user as it leads to a undesired effect and diminished user experience. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (OFBIZ-12563) Find Billing Account screen shows 'create' trigger to user with VIEW permission
Pierre Smits created OFBIZ-12563: Summary: Find Billing Account screen shows 'create' trigger to user with VIEW permission Key: OFBIZ-12563 URL: https://issues.apache.org/jira/browse/OFBIZ-12563 Project: OFBiz Issue Type: Improvement Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits When accessing [https://localhost:8443/accounting/control/FindBillingAccount] as a user with only VIEW permissions (e.g. userId=auditor, the action trigger to create something is shown. This should not be visible to such a user as it leads to a undesired effect and diminished user experience. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (OFBIZ-12562) Search result FindPayment Group shows 'Cancel trigger to user with view permission
Pierre Smits created OFBIZ-12562: Summary: Search result FindPayment Group shows 'Cancel trigger to user with view permission Key: OFBIZ-12562 URL: https://issues.apache.org/jira/browse/OFBIZ-12562 Project: OFBiz Issue Type: Improvement Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits When accessing [https://localhost:8443/accounting/control/FindPaymentGroup] as a user with only VIEW permissions (e.g. userId=auditor), the overview of payments found shows an action trigger to cancel a payment. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (OFBIZ-12561) Payment Find screen shows unnecessary 'find' trigger
Pierre Smits created OFBIZ-12561: Summary: Payment Find screen shows unnecessary 'find' trigger Key: OFBIZ-12561 URL: https://issues.apache.org/jira/browse/OFBIZ-12561 Project: OFBiz Issue Type: Bug Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits When accessing [https://localhost:8443/accounting/control/findPayments] a trigger is shown to access the Payment Find screen. This is redundant. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (OFBIZ-12558) Possible authenticated attack related to Tomcat CVE-2020-1938
[ https://issues.apache.org/jira/browse/OFBIZ-12558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17488761#comment-17488761 ] Jacques Le Roux edited comment on OFBIZ-12558 at 2/8/22, 12:17 PM: --- Hi Michael, Yes I know, for security reason the current OOTB configuration only works with localhost. I have that already documented and committed but not pushed, facing other issues with SecuredUpoad. I'll soon push all... was (Author: jacques.le.roux): Hi Michael, Yes I know, for secrutiy reason the current OOTB configuration only works with localhost. I have that already documented and committed but not pushed, facing other issues with SecuredUpoad. I'll soon push all... > Possible authenticated attack related to Tomcat CVE-2020-1938 > - > > Key: OFBIZ-12558 > URL: https://issues.apache.org/jira/browse/OFBIZ-12558 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: 18.12.05, Upcoming Branch >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Lion Tree has reported us that "CVE-2020-1938 is not > fully fixed". > Though it was fixed by OFBIZ-11407, it still possible for an authenticated > user to upload a webshell included in an image using one of the OFBiz upload > possibilities. That of course is not new and already covered by OFBIZ-12080 > "Secure the uploads", but was still incomplete. > So this Jira covers 2 points: > # Disable bypass of Tomcat due to setting in > framework/catalina/ofbiz-component.xml > # Enforce upload prevention of webshells, specifically but not only those > included in images -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12558) Possible authenticated attack related to Tomcat CVE-2020-1938
[ https://issues.apache.org/jira/browse/OFBIZ-12558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17488761#comment-17488761 ] Jacques Le Roux commented on OFBIZ-12558: - Hi Michael, Yes I know, for secrutiy reason the current OOTB configuration only works with localhost. I have that already documented and committed but not pushed, facing other issues with SecuredUpoad. I'll soon push all... > Possible authenticated attack related to Tomcat CVE-2020-1938 > - > > Key: OFBIZ-12558 > URL: https://issues.apache.org/jira/browse/OFBIZ-12558 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: 18.12.05, Upcoming Branch >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Lion Tree has reported us that "CVE-2020-1938 is not > fully fixed". > Though it was fixed by OFBIZ-11407, it still possible for an authenticated > user to upload a webshell included in an image using one of the OFBiz upload > possibilities. That of course is not new and already covered by OFBIZ-12080 > "Secure the uploads", but was still incomplete. > So this Jira covers 2 points: > # Disable bypass of Tomcat due to setting in > framework/catalina/ofbiz-component.xml > # Enforce upload prevention of webshells, specifically but not only those > included in images -- This message was sent by Atlassian Jira (v8.20.1#820001)
[GitHub] [ofbiz-framework] sonarcloud[bot] commented on pull request #508: Fixed: Party Main: duplicate action trigger (Person/Group) (OFBIZ-12560)
sonarcloud[bot] commented on pull request #508: URL: https://github.com/apache/ofbiz-framework/pull/508#issuecomment-1032441429 Kudos, SonarCloud Quality Gate passed! ![Quality Gate passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png 'Quality Gate passed') [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=508=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=508=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=508=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=508=false=CODE_SMELL) [![No Coverage information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png 'No Coverage information')](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=508) No Coverage information [![No Duplication information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/NoDuplicationInfo-16px.png 'No Duplication information')](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=508=duplicated_lines_density=list) No Duplication information -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [ofbiz-framework] PierreSmits opened a new pull request #508: Fixed: Party Main: duplicate action trigger (Person/Group) (OFBIZ-12560)
PierreSmits opened a new pull request #508: URL: https://github.com/apache/ofbiz-framework/pull/508 When accessing https://localhost:8443/partymgr/control/main the screen shows duplicate action triggers for the creation of a new party of type=PERSON or of type=PARTYGROUP. These action triggers come from the MainActionMenu for the a component, and from the 'CreateNewParty' menu. modified: PartyMenus.xml removed from menu CreateNewParty: - menu-item for the creation of a PartyGroup - menu-item for the creation of a Person as these already exists in the MainActionMenu of the component. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Created] (OFBIZ-12560) Party Main: duplicate action trigger (Person/Group)
Pierre Smits created OFBIZ-12560: Summary: Party Main: duplicate action trigger (Person/Group) Key: OFBIZ-12560 URL: https://issues.apache.org/jira/browse/OFBIZ-12560 Project: OFBiz Issue Type: Bug Components: party Affects Versions: Upcoming Branch Reporter: Pierre Smits Assignee: Pierre Smits When accessing [https://localhost:8443/partymgr/control/main] the screen shows duplicate action triggers for the creation of a new party of type=PERSON or of type=PARTYGROUP. These action triggers come from the MainActionMenu for the a component, and from the 'CreateNewParty' menu. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12558) Possible authenticated attack related to Tomcat CVE-2020-1938
[ https://issues.apache.org/jira/browse/OFBIZ-12558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17488701#comment-17488701 ] Michael Brohl commented on OFBIZ-12558: --- Hi Jacques, commit 5b1843f1c068b93d928420c80c1a8301990ef580 does lead to an error as follows, can you please check? SEVERE: Failed to start component [Connector[AJP/1.3-8009]] org.apache.catalina.LifecycleException: Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:1075) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardService.startInternal(StandardService.java:449) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:927) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) at org.apache.catalina.startup.Tomcat.start(Tomcat.java:486) at org.apache.ofbiz.catalina.container.CatalinaContainer.start(CatalinaContainer.java:134) at org.apache.ofbiz.base.container.ContainerLoader.startLoadedContainers(ContainerLoader.java:153) at org.apache.ofbiz.base.container.ContainerLoader.load(ContainerLoader.java:77) at org.apache.ofbiz.base.start.StartupControlPanel.loadContainers(StartupControlPanel.java:146) at org.apache.ofbiz.base.start.StartupControlPanel.start(StartupControlPanel.java:70) at org.apache.ofbiz.base.start.Start.main(Start.java:89) Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:270) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1072) ... 12 more > Possible authenticated attack related to Tomcat CVE-2020-1938 > - > > Key: OFBIZ-12558 > URL: https://issues.apache.org/jira/browse/OFBIZ-12558 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: 18.12.05, Upcoming Branch >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Lion Tree has reported us that "CVE-2020-1938 is not > fully fixed". > Though it was fixed by OFBIZ-11407, it still possible for an authenticated > user to upload a webshell included in an image using one of the OFBiz upload > possibilities. That of course is not new and already covered by OFBIZ-12080 > "Secure the uploads", but was still incomplete. > So this Jira covers 2 points: > # Disable bypass of Tomcat due to setting in > framework/catalina/ofbiz-component.xml > # Enforce upload prevention of webshells, specifically but not only those > included in images -- This message was sent by Atlassian Jira (v8.20.1#820001)
[GitHub] [ofbiz-framework] sonarcloud[bot] commented on pull request #507: Fixed: GlSetupScreens.xml - MainActionMenu not shown (OFBIZ-12559)
sonarcloud[bot] commented on pull request #507: URL: https://github.com/apache/ofbiz-framework/pull/507#issuecomment-1032403046 Kudos, SonarCloud Quality Gate passed! ![Quality Gate passed](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/QualityGateBadge/passed-16px.png 'Quality Gate passed') [![Bug](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/bug-16px.png 'Bug')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=BUG) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=BUG) [![Vulnerability](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/vulnerability-16px.png 'Vulnerability')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=VULNERABILITY) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=VULNERABILITY) [![Security Hotspot](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/security_hotspot-16px.png 'Security Hotspot')](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=507=false=SECURITY_HOTSPOT) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=507=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=507=false=SECURITY_HOTSPOT) [![Code Smell](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/code_smell-16px.png 'Code Smell')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=CODE_SMELL) [![A](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/RatingBadge/A-16px.png 'A')](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=507=false=CODE_SMELL) [![No Coverage information](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/CoverageChart/NoCoverageInfo-16px.png 'No Coverage information')](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=507) No Coverage information [![0.0%](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/checks/Duplications/3-16px.png '0.0%')](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=507=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=507=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [ofbiz-framework] PierreSmits opened a new pull request #507: Fixed: GlSetupScreens.xml - MainActionMenu not shown (OFBIZ-12559)
PierreSmits opened a new pull request #507: URL: https://github.com/apache/ofbiz-framework/pull/507 The MainActionMenu of the Accounting component is intended to provide the users with CREATE permissions a direct way to create the main objects of the Accounting components (Gl transaction, invoice, payment), instead of - as such a user - have to go through multiple screens to get to the action trigger to create such objects. The MainActionMenu is applied in various decorator screens. It is, however, not applied in the GlSetupScreen.xml file. Modified: GlSetupScreens.xml added pre-body decorator section, including ref to MainActionMenu, to: - screen ListCompanies - screen AddCompany - screen ImportExport -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Created] (OFBIZ-12559) GlSetupScreens.xml - MainActionMenu not shown
Pierre Smits created OFBIZ-12559: Summary: GlSetupScreens.xml - MainActionMenu not shown Key: OFBIZ-12559 URL: https://issues.apache.org/jira/browse/OFBIZ-12559 Project: OFBiz Issue Type: Bug Components: accounting Affects Versions: Upcoming Branch Reporter: Pierre Smits Assignee: Pierre Smits The MainActionMenu of the Accounting component is intended to provide the users with CREATE permissions a direct way to create the main objects of the Accounting components (Gl transaction, invoice, payment), instead of - as such a user - have to go through multiple screens to get to the action trigger to create such objects. The MainActionMenu is applied in various decorator screens. It is, however, not applied in the GlSetupScreen.xml file. -- This message was sent by Atlassian Jira (v8.20.1#820001)