[jira] [Updated] (OFBIZ-11176) Find order screen can't make a search without ship to country
[ https://issues.apache.org/jira/browse/OFBIZ-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-11176: -- Description: When you search orders on the standard screen [1] you can't unselect a country. !Screenshot from 2019-08-27 09-49-41.png! The problem come from the populate country list by countries.ftl who select by default a country without possibility to escape it. The patch [^OFBIZ-11176.patch] solve it with adding a possibility to escape auto select. If you found a better solution, I'm open ;) [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders was: When you search orders on the standard screen [1] you can't unselect a country. !Screenshot from 2019-08-27 09-49-41.png! The problem come from the populate country list by countries.ftl who select by default a country without possibility to escape it. The patch solve it with adding a possibility to escape auto select [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders > Find order screen can't make a search without ship to country > - > > Key: OFBIZ-11176 > URL: https://issues.apache.org/jira/browse/OFBIZ-11176 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: Trunk, Release Branch 18.12 >Reporter: Nicolas Malin >Priority: Minor > Attachments: OFBIZ-11176.patch, Screenshot from 2019-08-27 > 09-49-41.png > > > When you search orders on the standard screen [1] you can't unselect a > country. > !Screenshot from 2019-08-27 09-49-41.png! > The problem come from the populate country list by countries.ftl who select > by default a country without possibility to escape it. > The patch [^OFBIZ-11176.patch] solve it with adding a possibility to escape > auto select. > If you found a better solution, I'm open ;) > [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916529#comment-16916529 ] Jacques Le Roux commented on OFBIZ-4361: I wrote above {quote}There is one thing wich is worrying me, why have the JWT in a hidden form parameter? Could you not put it in a cookie? {quote} It's not needed. The hidden form parameter is {quote} {quote} in ChangePassword.ftl. It's only handled on the server side, so no worries. Apart that I reviewed and tested, it's OK with me Stuff I found while reviewing: Unused vars in LoginEvents.java: {quote}private static final String keyValue = UtilProperties.getPropertyValue(LoginWorker.securityProperties, "login.secret_key_string"); {quote} in forgotPassword() {quote}GenericDelegator delegator = (GenericDelegator) request.getAttribute("delegator"); {quote} {quote}String errMsg = null; {quote} in emailPasswordRequest() {quote}Locale locale = UtilHttp.getLocale(request); {quote} All that mostly thanks to Eclipse ;) In emailPasswordRequest() {code:java} if (UtilValidate.isEmpty(userLoginId)) { String errMsg = UtilProperties.getMessage(resource, "loginevents.username_was_empty_reenter", UtilHttp.getLocale(request)); request.setAttribute("_ERROR_MESSAGE_", errMsg); return "error"; } {code} is useless, it's already checked in forgotPassword() which is the only method calling emailPasswordRequest() In comment // Generate a JWT with *defaut* retention time should be *default* ;) I don't think changes in general.properties are wanted. Notably mail.debug.on=Y is dangerous. It can be exploited to look at the message sent, like (even if w/ the secret key it remains hard to decipher) {noformat} This email is in response to your request to have password sent to you. {noformat} I agree about security.jwt.token.expireTime=1800 ForgotPassword.ftl has a duplicated ASL2 header Also it should be noted (was already like that) that for an user to be able to change the password this user must have the permission to access the partymgr webapp. So every ecommmerce clients must have this permission! > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916564#comment-16916564 ] Jacques Le Roux commented on OFBIZ-4361: The missing key exists on trunk demo but not locally. The number of keys is the same, all the other keys are same. Not sure why yet, maybe it was changed in the process of changing password? > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Created] (OFBIZ-11176) Find order screen can't make a search without ship to country
Nicolas Malin created OFBIZ-11176: - Summary: Find order screen can't make a search without ship to country Key: OFBIZ-11176 URL: https://issues.apache.org/jira/browse/OFBIZ-11176 Project: OFBiz Issue Type: Improvement Components: order Affects Versions: Trunk, Release Branch 18.12 Reporter: Nicolas Malin Attachments: Screenshot from 2019-08-27 09-49-41.png When you search orders on the standard screen [1] you can't unselect a country. !Screenshot from 2019-08-27 09-49-41.png! The problem come from the populate country list by countries.ftl who select by default a country without possibility to escape it. The patch solve it with adding a possibility to escape auto select [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Updated] (OFBIZ-10729) Add subscribe email on website mailing list page
[ https://issues.apache.org/jira/browse/OFBIZ-10729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aditya Sharma updated OFBIZ-10729: -- Attachment: OFBIZ-10729.patch > Add subscribe email on website mailing list page > > > Key: OFBIZ-10729 > URL: https://issues.apache.org/jira/browse/OFBIZ-10729 > Project: OFBiz > Issue Type: Improvement > Components: site >Reporter: Deepak Dixit >Assignee: Aditya Sharma >Priority: Major > Attachments: OFBIZ-10729-Alt.patch, OFBIZ-10729.patch, > OFBIZ-10729.patch, SubscribeMailingList-Mid.png, > SubscribeMailingList-Top-Alt.png, SubscribeMailingList-bottom.png, > SubscribeMailingList.png, SubscribeMailingList.png, > SubscribeMailingListAlt-1.png, SubscribeMailingListAlt-2.png > > > As per current implementation, we have a link of lists.apache.org for > subscribing mailing list, > When a user visited lists.apache.org website it has the option to subscribe, > this tries to open email client, if no email client setup on a user machine, > so its difficult to subscribe. > We can add an alternate option as well along with lists.apache.org link. A > simple text with subscribe email address. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916658#comment-16916658 ] Jacques Le Roux commented on OFBIZ-4361: About concerns found in this issue: In description {quote} The following occurred: A new password has been created and sent to you. Please check your Email. This now forces the user of the ERP to change their password. {quote} With this patch, nobody is forced to do anything. People just need to ignore the email. So I think we should add a note for users, like:{color:#DE350B} "Please ignore this email if you did not request a password change". To be added to with "This link can be used only once" {color} {quote} It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk. This feature could be reduced to a certain sub-set of users, whose login name is optionally in the format of an email address, and maybe require a captcha code to prevent dictionary attacks. For example, limit the feature to role "Customer" of type "Person" which was generated via an ecommerce transaction. {quote} I'm not sure it's a real security issue, you can always do that against any login page. But this is an interesting point. I don't think it has been implemented with current patch. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916577#comment-16916577 ] Jacques Le Roux commented on OFBIZ-4361: OK, I think I got it: you can use the link in email only once :) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Comment Edited] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916577#comment-16916577 ] Jacques Le Roux edited comment on OFBIZ-4361 at 8/27/19 10:38 AM: -- OK, I think I got it: you can use the link in email only once :) We should say it in the email was (Author: jacques.le.roux): OK, I think I got it: you can use the link in email only once :) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Updated] (OFBIZ-10729) Add subscribe email on website mailing list page
[ https://issues.apache.org/jira/browse/OFBIZ-10729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Aditya Sharma updated OFBIZ-10729: -- Attachment: SubscribeMailingList-Top-Alt.png SubscribeMailingList-Mid.png SubscribeMailingList-bottom.png SubscribeMailingList.png > Add subscribe email on website mailing list page > > > Key: OFBIZ-10729 > URL: https://issues.apache.org/jira/browse/OFBIZ-10729 > Project: OFBiz > Issue Type: Improvement > Components: site >Reporter: Deepak Dixit >Assignee: Aditya Sharma >Priority: Major > Attachments: OFBIZ-10729-Alt.patch, OFBIZ-10729.patch, > SubscribeMailingList-Mid.png, SubscribeMailingList-Top-Alt.png, > SubscribeMailingList-bottom.png, SubscribeMailingList.png, > SubscribeMailingList.png, SubscribeMailingListAlt-1.png, > SubscribeMailingListAlt-2.png > > > As per current implementation, we have a link of lists.apache.org for > subscribing mailing list, > When a user visited lists.apache.org website it has the option to subscribe, > this tries to open email client, if no email client setup on a user machine, > so its difficult to subscribe. > We can add an alternate option as well along with lists.apache.org link. A > simple text with subscribe email address. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916613#comment-16916613 ] Nicolas Malin commented on OFBIZ-4361: -- Yes I added a jwt generation by added a key salt with userloginId and currentPassword. So if you change your password all your jwt send before would be expired ;) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-10729) Add subscribe email on website mailing list page
[ https://issues.apache.org/jira/browse/OFBIZ-10729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916659#comment-16916659 ] Aditya Sharma commented on OFBIZ-10729: --- Hi Jacques, I have updated the patch along with the following images: 1. SubscribeMailingList.png 2. SubscribeMailingList-Mid.png 3. SubscribeMailingList-bottom.png 4. SubscribeMailingList-Top-Alt.png: This is an alternate suggestion for the top portion. We can move the heading above the image so that it doesn't have lots of empty space below the image. In this patch, I have also updated the unsubscribe instructions with the statement: {quote} Then, reply to the email from the mailing list manager program (EZMLM) to confirm unsubscribe. {quote} > Add subscribe email on website mailing list page > > > Key: OFBIZ-10729 > URL: https://issues.apache.org/jira/browse/OFBIZ-10729 > Project: OFBiz > Issue Type: Improvement > Components: site >Reporter: Deepak Dixit >Assignee: Aditya Sharma >Priority: Major > Attachments: OFBIZ-10729-Alt.patch, OFBIZ-10729.patch, > OFBIZ-10729.patch, SubscribeMailingList-Mid.png, > SubscribeMailingList-Top-Alt.png, SubscribeMailingList-bottom.png, > SubscribeMailingList.png, SubscribeMailingList.png, > SubscribeMailingListAlt-1.png, SubscribeMailingListAlt-2.png > > > As per current implementation, we have a link of lists.apache.org for > subscribing mailing list, > When a user visited lists.apache.org website it has the option to subscribe, > this tries to open email client, if no email client setup on a user machine, > so its difficult to subscribe. > We can add an alternate option as well along with lists.apache.org link. A > simple text with subscribe email address. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Updated] (OFBIZ-11176) Find order screen can't make a search without ship to country
[ https://issues.apache.org/jira/browse/OFBIZ-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-11176: -- Attachment: OFBIZ-11176.patch > Find order screen can't make a search without ship to country > - > > Key: OFBIZ-11176 > URL: https://issues.apache.org/jira/browse/OFBIZ-11176 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: Trunk, Release Branch 18.12 >Reporter: Nicolas Malin >Priority: Minor > Attachments: OFBIZ-11176.patch, Screenshot from 2019-08-27 > 09-49-41.png > > > When you search orders on the standard screen [1] you can't unselect a > country. !Screenshot from 2019-08-27 09-49-41.png! > The problem come from the populate country list by countries.ftl who select > by default a country without possibility to escape it. > The patch solve it with adding a possibility to escape auto select > [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-10729) Add subscribe email on website mailing list page
[ https://issues.apache.org/jira/browse/OFBIZ-10729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916748#comment-16916748 ] Jacques Le Roux commented on OFBIZ-10729: - Thanks Aditya, This looks good to me. I prefer SubscribeMailingList-Top-Alt.pngn (y) > Add subscribe email on website mailing list page > > > Key: OFBIZ-10729 > URL: https://issues.apache.org/jira/browse/OFBIZ-10729 > Project: OFBiz > Issue Type: Improvement > Components: site >Reporter: Deepak Dixit >Assignee: Aditya Sharma >Priority: Major > Attachments: OFBIZ-10729-Alt.patch, OFBIZ-10729.patch, > OFBIZ-10729.patch, SubscribeMailingList-Mid.png, > SubscribeMailingList-Top-Alt.png, SubscribeMailingList-bottom.png, > SubscribeMailingList.png, SubscribeMailingList.png, > SubscribeMailingListAlt-1.png, SubscribeMailingListAlt-2.png > > > As per current implementation, we have a link of lists.apache.org for > subscribing mailing list, > When a user visited lists.apache.org website it has the option to subscribe, > this tries to open email client, if no email client setup on a user machine, > so its difficult to subscribe. > We can add an alternate option as well along with lists.apache.org link. A > simple text with subscribe email address. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Closed] (OFBIZ-11176) Find order screen can't make a search without ship to country
[ https://issues.apache.org/jira/browse/OFBIZ-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin closed OFBIZ-11176. - Fix Version/s: Release Branch 18.12 Upcoming Branch Assignee: Nicolas Malin Resolution: Done Thanks Jacques I commited it at * trunk: 1866011 * 18.12: 1866012 > Find order screen can't make a search without ship to country > - > > Key: OFBIZ-11176 > URL: https://issues.apache.org/jira/browse/OFBIZ-11176 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: Trunk, Release Branch 18.12 >Reporter: Nicolas Malin >Assignee: Nicolas Malin >Priority: Minor > Fix For: Upcoming Branch, Release Branch 18.12 > > Attachments: OFBIZ-11176.patch, Screenshot from 2019-08-27 > 09-49-41.png > > > When you search orders on the standard screen [1] you can't unselect a > country. > !Screenshot from 2019-08-27 09-49-41.png! > The problem come from the populate country list by countries.ftl who select > by default a country without possibility to escape it. > The patch [^OFBIZ-11176.patch] solve it with adding a possibility to escape > auto select. > If you found a better solution, I'm open ;) > [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Comment Edited] (OFBIZ-11176) Find order screen can't make a search without ship to country
[ https://issues.apache.org/jira/browse/OFBIZ-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16917123#comment-16917123 ] Nicolas Malin edited comment on OFBIZ-11176 at 8/27/19 9:33 PM: Thanks Jacques I commited it at * trunk: 1866012 * 18.12: 1866013 was (Author: soledad): Thanks Jacques I commited it at * trunk: 1866011 * 18.12: 1866012 > Find order screen can't make a search without ship to country > - > > Key: OFBIZ-11176 > URL: https://issues.apache.org/jira/browse/OFBIZ-11176 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: Trunk, Release Branch 18.12 >Reporter: Nicolas Malin >Assignee: Nicolas Malin >Priority: Minor > Fix For: Upcoming Branch, Release Branch 18.12 > > Attachments: OFBIZ-11176.patch, Screenshot from 2019-08-27 > 09-49-41.png > > > When you search orders on the standard screen [1] you can't unselect a > country. > !Screenshot from 2019-08-27 09-49-41.png! > The problem come from the populate country list by countries.ftl who select > by default a country without possibility to escape it. > The patch [^OFBIZ-11176.patch] solve it with adding a possibility to escape > auto select. > If you found a better solution, I'm open ;) > [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-10729) Add subscribe email on website mailing list page
[ https://issues.apache.org/jira/browse/OFBIZ-10729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16917442#comment-16917442 ] Swapnil M Mane commented on OFBIZ-10729: Thanks you [~adityasharma] and [~jacques.le.roux]. Here are my thoughts on this. 1. I will also prefer the SubscribeMailingList-Top-Alt.png 2. We can update the instructions in "Alternate Steps:" section as follows (taken reference from [here|https://apache.org/foundation/mailinglists.html]) To subscribe to any of the following lists, please follow the steps below * Send an email to the appropriate address (see below) user-subscr...@ofbiz.apache.org dev-subscr...@ofbiz.apache.org commits-subscr...@ofbiz.apache.org notifications-subscr...@ofbiz.apache.org * You will receive an email from mailing list manager program (EZMLM); either a confirmation request or an error message (e.g. if you are not subscribed) * Reply to the confirmation message * Congratulations! You are now subscribed 3. Just want to know the thoughts of community, Should we make alternate steps as main steps? Since alternate steps are not having any dependency on the email client setup on machine. 4. I think, there is no need to add the Aternative steps, "Alternately, please send ..." in the mid section (SubscribeMailingList-Mid.png). Thanks! > Add subscribe email on website mailing list page > > > Key: OFBIZ-10729 > URL: https://issues.apache.org/jira/browse/OFBIZ-10729 > Project: OFBiz > Issue Type: Improvement > Components: site >Reporter: Deepak Dixit >Assignee: Aditya Sharma >Priority: Major > Attachments: OFBIZ-10729-Alt.patch, OFBIZ-10729.patch, > OFBIZ-10729.patch, SubscribeMailingList-Mid.png, > SubscribeMailingList-Top-Alt.png, SubscribeMailingList-bottom.png, > SubscribeMailingList.png, SubscribeMailingList.png, > SubscribeMailingListAlt-1.png, SubscribeMailingListAlt-2.png > > > As per current implementation, we have a link of lists.apache.org for > subscribing mailing list, > When a user visited lists.apache.org website it has the option to subscribe, > this tries to open email client, if no email client setup on a user machine, > so its difficult to subscribe. > We can add an alternate option as well along with lists.apache.org link. A > simple text with subscribe email address. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Updated] (OFBIZ-11176) Find order screen can't make a search without ship to country
[ https://issues.apache.org/jira/browse/OFBIZ-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Swapnil M Mane updated OFBIZ-11176: --- Sprint: OFBiz Community Day (Aug 2019) > Find order screen can't make a search without ship to country > - > > Key: OFBIZ-11176 > URL: https://issues.apache.org/jira/browse/OFBIZ-11176 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: Trunk, Release Branch 18.12 >Reporter: Nicolas Malin >Assignee: Nicolas Malin >Priority: Minor > Fix For: Upcoming Branch, Release Branch 18.12 > > Attachments: OFBIZ-11176.patch, Screenshot from 2019-08-27 > 09-49-41.png > > > When you search orders on the standard screen [1] you can't unselect a > country. > !Screenshot from 2019-08-27 09-49-41.png! > The problem come from the populate country list by countries.ftl who select > by default a country without possibility to escape it. > The patch [^OFBIZ-11176.patch] solve it with adding a possibility to escape > auto select. > If you found a better solution, I'm open ;) > [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: [reflective] hmm, I restarted from scratch and all work for me[reflective] ) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: Mmm last thought: the last one is certainly due to a String in a job referring to sendEmailDated simple method in CommunicationEventServices.xml which no longer exists ;) So it's something else...) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Comment Edited] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916792#comment-16916792 ] Jacques Le Roux edited comment on OFBIZ-4361 at 8/27/19 3:13 PM: - Concerns in comments: Tobias's comment - 22/Jun/17 12:45 bq. I believe the user shouldn't get any feedback regarding the success of the password reset. Otherwise one could use this service to check for exisiting email addresses or user logins. That could be a concern for users using their email address as username. But it happens that the process always return a success message (albeit not on error of config of course) even when using a non existing usernames. So it's not a concern. It's impossible to discern right to wrong usernames this way. Tobias later bq. the user provides their login, the email is sent to the primary contact email address of the corresponding user Michael's answered bq. I think this would be the safest way for a user who forgot his password but recalls his login/user name. This is what does the patch. Michael also proposed: bq. One remaining case is when the user forgets his username/login. He will (hopefully) always recall his email address so it would be cool if he could provide his email address. If there is exactly one valid login associated with this email address, the process can go on. Else there should be some kind of message to call the administrator or something. Tobias then proposed a complete solution 22/Jun/17 15:18 This is not handled at the moment mz4wheeler's comment - 23/Jun/17 17:07 bq. adding a new role, like "allow_password_resets" To change their passwords ecommerce clients need to get access to partymngr. I think that's not secure enough and restriction of the possible actions (eg only allowed to reset password) would be a good idea... Pierre Smits's comment - 10/Sep/18 12:05 bq. This seems to be a CVE, and should be prioritised as such. I don't think so, nobody reported an effective proven way to compromise anything so far I wondered about JTI utilisation. Since the email link is only usable once (else you get a EntityCryptoException as reported above), Nicolas's proposed solution (JWT generation with key salt with userloginId + currentPassword and derived secret key saved in DB) is a kind of JTI. This reminds me about OFBIZ-10751, next task for me... was (Author: jacques.le.roux): Concerns in comments: Tobias's comment - 22/Jun/17 12:45 bq. I believe the user shouldn't get any feedback regarding the success of the password reset. Otherwise one could use this service to check for exisiting email addresses or user logins. That could be a concern for users using their email address as username. But it happens that the process always return a success message (albeit not on error of config of course) even when using a non existing usernames. So it's not a concern. It's impossible to discern right to wrong usernames this way. Tobias later bq. the user provides their login, the email is sent to the primary contact email address of the corresponding user Michael's answered bq. I think this would be the safest way for a user who forgot his password but recalls his login/user name. This is what does the patch. Michael also proposed: bq. One remaining case is when the user forgets his username/login. He will (hopefully) always recall his email address so it would be cool if he could provide his email address. If there is exactly one valid login associated with this email address, the process can go on. Else there should be some kind of message to call the administrator or something. Tobias then proposed a complete solution 22/Jun/17 15:18 This is not handled at the moment mz4wheeler's comment - 23/Jun/17 17:07 bq. adding a new role, like "allow_password_resets" To change their passwords ecommerce clients need to get access to partymngr. I think that's not secure enough and restriction of the possible actions (eg only allowed to reset password) would be a good idea... Pierre Smits's comment - 10/Sep/18 12:05 bq. This seems to be a CVE, and should be prioritised as such. I don't think so, nobody reported an effective proven way to compromise anything so far I wondered about JTI utilisation. Since the email link is only usable once (else you get a EntityCryptoException as reported above), Nicolas's proposed solution (JWT generation with key salt with userloginId + currentPassword and derived secret key saved in DB) is strong enough. This reminds me about OFBIZ-10751, next task for me... > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project:
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916792#comment-16916792 ] Jacques Le Roux commented on OFBIZ-4361: Concerns in comments: Tobias's comment - 22/Jun/17 12:45 bq. I believe the user shouldn't get any feedback regarding the success of the password reset. Otherwise one could use this service to check for exisiting email addresses or user logins. That could be a concern for users using their email address as username. But it happens that the process always return a success message (albeit not on error of config of course) even when using a non existing usernames. So it's not a concern. It's impossible to discern right to wrong usernames this way. Tobias later bq. the user provides their login, the email is sent to the primary contact email address of the corresponding user Michael's answered bq. I think this would be the safest way for a user who forgot his password but recalls his login/user name. This is what does the patch. Michael also proposed: bq. One remaining case is when the user forgets his username/login. He will (hopefully) always recall his email address so it would be cool if he could provide his email address. If there is exactly one valid login associated with this email address, the process can go on. Else there should be some kind of message to call the administrator or something. Tobias then proposed a complete solution 22/Jun/17 15:18 This is not handled at the moment mz4wheeler's comment - 23/Jun/17 17:07 bq. adding a new role, like "allow_password_resets" To change their passwords ecommerce clients need to get access to partymngr. I think that's not secure enough and restriction of the possible actions (eg only allowed to reset password) would be a good idea... Pierre Smits's comment - 10/Sep/18 12:05 bq. This seems to be a CVE, and should be prioritised as such. I don't think so, nobody reported an effective proven way to compromise anything so far I wondered about JTI utilisation. Since the email link is only usable once (else you get a EntityCryptoException as reported above), Nicolas's proposed solution (JWT generation with key salt with userloginId + currentPassword and derived secret key saved in DB) is strong enough. This reminds me about OFBIZ-10751, next task for me... > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916802#comment-16916802 ] Jacques Le Roux commented on OFBIZ-4361: I only applied [^OFBIZ-4361_Token-Password-Registration.patch]. It's the only one needed, right? > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916805#comment-16916805 ] Jacques Le Roux commented on OFBIZ-4361: The French content for loginservices.token_incorrect label sounds weird to me. The English value should be "Invalid token". > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916811#comment-16916811 ] Jacques Le Roux commented on OFBIZ-4361: In webpos "Get Password Hint" does not work either. Got it this fearture has been removed (look for GetSecurityQuestion.ftl in [^OFBIZ-4361_Token-Password-Registration.patch]). Then the link should be removed also. > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916812#comment-16916812 ] Nicolas Malin commented on OFBIZ-4361: -- {quote}With this patch, nobody is forced to do anything. People just need to ignore the email. So I think we should add a note for users, like: "Please ignore this email if you did not request a password change". To be added to with "This link can be used only once"{quote} I agree with you and I can improve it in this way. For the captcha let each integrator implement what he want, improve security at this time it's a other task for me. An other interesting point, is where the user change is password. By defaut he change on partymgr because we ask change password from framework but for ecommerce, he need to obtains a link to ecommerce, finally he needs to obtains a link where he authorise to connect. The solution that I implement was to offert a temporal authorisation to ofbiz access with the current user permission, not more ;) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916818#comment-16916818 ] Nicolas Malin commented on OFBIZ-4361: -- {quote} I only applied OFBIZ-4361_Token-Password-Registration.patch. It's the only one needed, right? {quote} Yes, With all improve/review that you deem necessary > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-11176) Find order screen can't make a search without ship to country
[ https://issues.apache.org/jira/browse/OFBIZ-11176?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916515#comment-16916515 ] Jacques Le Roux commented on OFBIZ-11176: - I like the idea, tested, works => +1 (I also like patch where all is dynamic and you don't even need Gradle continuous build for them to work with your already running local OFBiz instance ;)) > Find order screen can't make a search without ship to country > - > > Key: OFBIZ-11176 > URL: https://issues.apache.org/jira/browse/OFBIZ-11176 > Project: OFBiz > Issue Type: Improvement > Components: order >Affects Versions: Trunk, Release Branch 18.12 >Reporter: Nicolas Malin >Priority: Minor > Attachments: OFBIZ-11176.patch, Screenshot from 2019-08-27 > 09-49-41.png > > > When you search orders on the standard screen [1] you can't unselect a > country. > !Screenshot from 2019-08-27 09-49-41.png! > The problem come from the populate country list by countries.ftl who select > by default a country without possibility to escape it. > The patch [^OFBIZ-11176.patch] solve it with adding a possibility to escape > auto select. > If you found a better solution, I'm open ;) > [1] https://demo-trunk.ofbiz.apache.org/ordermgr/control/findorders -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-10729) Add subscribe email on website mailing list page
[ https://issues.apache.org/jira/browse/OFBIZ-10729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916561#comment-16916561 ] Aditya Sharma commented on OFBIZ-10729: --- Thanks Jacques for looking into it :) I will provide an updated patch. > Add subscribe email on website mailing list page > > > Key: OFBIZ-10729 > URL: https://issues.apache.org/jira/browse/OFBIZ-10729 > Project: OFBiz > Issue Type: Improvement > Components: site >Reporter: Deepak Dixit >Assignee: Aditya Sharma >Priority: Major > Attachments: OFBIZ-10729-Alt.patch, OFBIZ-10729.patch, > SubscribeMailingList.png, SubscribeMailingListAlt-1.png, > SubscribeMailingListAlt-2.png > > > As per current implementation, we have a link of lists.apache.org for > subscribing mailing list, > When a user visited lists.apache.org website it has the option to subscribe, > this tries to open email client, if no email client setup on a user machine, > so its difficult to subscribe. > We can add an alternate option as well along with lists.apache.org link. A > simple text with subscribe email address. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Commented] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16916756#comment-16916756 ] Jacques Le Roux commented on OFBIZ-4361: I tried to use the CORS stuff and it still works. In backend, I tried to use "Get Password Hint" (this screen is always in French for me despite turning to English) but got nothing (stuck on the screen, nothing in log) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: Unsure, after Nicolas fixing OFBIZ-11175, I simply dit a svn up in a 3rd console and the error did not display in the console where OFBiz run {noformat} Waiting for changes to input files of tasks... (ctrl-d then enter to exit) modified: C:\projectsASF\ofbiz\applications\product\src\main\java\org\apache\ofbiz\product\category\CategoryServices.java Change detected, executing build... {noformat} But then got another error due to r1865920 in OFBIZ-11164 {noformat} 2019-08-26 12:07:16,523 |OFBiz-JobQueue-1 |GenericServiceJob |E| Async-Service failed. org.apache.ofbiz.service.GenericServiceException: Error running simple method [sendEmailDated] in XML file [component://party/minilang/communication/CommunicationEventServices.xml]: (Could not find SimpleMethod sendEmailDated in XML doc ument in resource: component://party/minilang/communication/CommunicationEventServices.xml) at org.apache.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:81) ~[main/:?] at org.apache.ofbiz.minilang.SimpleServiceEngine.runSync(SimpleServiceEngine.java:48) ~[main/:?] at org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:415) ~[main/:?] at org.apache.ofbiz.service.ServiceDispatcher.runSync(ServiceDispatcher.java:240) ~[main/:?] at org.apache.ofbiz.service.GenericDispatcherFactory$GenericDispatcher.runSync(GenericDispatcherFactory.java:88) ~[main/:?] at org.apache.ofbiz.service.job.GenericServiceJob.exec(GenericServiceJob.java:70) [main/:?] at org.apache.ofbiz.service.job.AbstractJob.run(AbstractJob.java:87) [main/:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_202] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_202] at java.lang.Thread.run(Thread.java:748) [?:1.8.0_202] Caused by: org.apache.ofbiz.minilang.MiniLangException: Could not find SimpleMethod sendEmailDated in XML document in resource: component://party/minilang/communication/CommunicationEventServices.xml at org.apache.ofbiz.minilang.SimpleMethod.runSimpleMethod(SimpleMethod.java:272) ~[main/:?] at org.apache.ofbiz.minilang.SimpleMethod.runSimpleService(SimpleMethod.java:293) ~[main/:?] at org.apache.ofbiz.minilang.SimpleServiceEngine.serviceInvoker(SimpleServiceEngine.java:79) ~[main/:?] {noformat} So yes there are still discrepancies between dynamic and not resources and it's hard to know when. This said it's quite a convenient stuff and I'll stop there :D) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: Gradle continous build is really useful: {noformat} Waiting for changes to input files of tasks... (ctrl-d then enter to exit) modified: C:\projectsASF\ofbiz\applications\securityext\src\main\java\org\apache\ofbiz\securityext\login\LoginEvents.java modified: C:\projectsASF\ofbiz\applications\securityext\template\email\PasswordEmail.ftl modified: C:\projectsASF\ofbiz\framework\common\config\SecurityextUiLabels.xml and some more changes Change detected, executing build... > Task :compileJava C:\projectsASF\ofbiz\applications\securityext\src\main\java\org\apache\ofbiz\securityext\login\LoginEvents.java:255: warning: [unchecked] unchecked conversion List contactMechs = (List) ContactHelper.getContactMechByPurpose(userParty, "PRIMARY_EMAIL", false); {noformat} ;)) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)
[jira] [Issue Comment Deleted] (OFBIZ-4361) Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password"
[ https://issues.apache.org/jira/browse/OFBIZ-4361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-4361: --- Comment: was deleted (was: For those interested, of course using Gradle continous build can lead to certain discrepancies if you don't run OFBiz again when needed (eg Java classes to be reloaded). Only dynamic ressources are updated (ie not Java classes for instance). Here is what happen when I apply the patch and try to get an password by email: {noformat} 2019-08-26 11:21:23,429 |jsse-nio-8443-exec-5 |JavaEventHandler |E| Problems Processing Event java.lang.NoSuchMethodError: org.apache.ofbiz.webapp.control.JWTManager.createJwt(Lorg/apache/ofbiz/entity/Delegator;Ljava/util/Map;Ljava/lang/String;I)Ljava/lang/String; at org.apache.ofbiz.security.SecurityUtil.generateJwtToAuthenticateUserLogin(SecurityUtil.java:133) ~[main/:?] at org.apache.ofbiz.securityext.login.LoginEvents.emailPasswordRequest(LoginEvents.java:269) ~[main/:?] at org.apache.ofbiz.securityext.login.LoginEvents.forgotPassword(LoginEvents.java:123) ~[main/:?] {noformat} Or do I miss something? ) > Any ecommerce user has the ability to reset anothers password (including > admin) via "Forget Your Password" > -- > > Key: OFBIZ-4361 > URL: https://issues.apache.org/jira/browse/OFBIZ-4361 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Release Branch 11.04, Release Branch 13.07, Release > Branch 14.12, Trunk, Release Branch 15.12, Release Branch 16.11, Release > Branch 17.12 > Environment: Ubuntu and others >Reporter: mz4wheeler >Assignee: Jacques Le Roux >Priority: Major > Labels: security > Attachments: OFBIZ-4361.patch, OFBIZ-4361_OneScreen.patch, > OFBIZ-4361_ReworkPasswordLogic.patch, OFBIZ-4361_ReworkPasswordLogic.patch, > OFBIZ-4361_Token-Password-Registration.patch > > > Currently, any user (via ecommerce "Forget Your Password") has the ability to > reset another users password, including "admin" without permission. By > simply entering "admin" and clicking "Email Password", the following is > displayed. > The following occurred: > A new password has been created and sent to you. Please check your Email. > This now forces the user of the ERP to change their password. It is also > possible to generate a dictionary attack against ofbiz because there is no > capta code required. This is serious security risk. > This feature could be reduced to a certain sub-set of users, whose login name > is optionally in the format of an email address, and maybe require a capta > code to prevent dictionary attacks. > For example, limit the feature to role "Customer" of type "Person" which was > generated via an ecommerce transaction. -- This message was sent by Atlassian Jira (v8.3.2#803003)