[jira] [Updated] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[
https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-10054:
Issue Type: Bug (was: Improvement)
> Product content management screen doesn't validate trusted users' input
> ---
>
> Key: OFBIZ-10054
> URL: https://issues.apache.org/jira/browse/OFBIZ-10054
> Project: OFBiz
> Issue Type: Bug
> Components: product
>Affects Versions: Trunk, Release Branch 16.11
>Reporter: Jacopo Cappellato
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
>
> Steps to recreate:
> 1) go to (authenticate with admin/ofbiz):
> https://localhost:8443/catalog/control/EditProductContent?productId=WG-
> 2) set the content of the field labeled "Large Image" to:
> non_existent.foo" onerror="alert('Hi!');
> 3) visit the url:
> https://localhost:8443/ecommerce/control/product?product_id=WG-
> A popup message will appear with the "Hi!".
> Thanks to Loris Nardo for the report.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Closed] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[
https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-10054.
---
Resolution: Fixed
Fix Version/s: 18.12.01
16.11.06
17.12.01
> Product content management screen doesn't validate trusted users' input
> ---
>
> Key: OFBIZ-10054
> URL: https://issues.apache.org/jira/browse/OFBIZ-10054
> Project: OFBiz
> Issue Type: Improvement
> Components: product
>Affects Versions: Trunk, Release Branch 16.11
>Reporter: Jacopo Cappellato
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
>
> Steps to recreate:
> 1) go to (authenticate with admin/ofbiz):
> https://localhost:8443/catalog/control/EditProductContent?productId=WG-
> 2) set the content of the field labeled "Large Image" to:
> non_existent.foo" onerror="alert('Hi!');
> 3) visit the url:
> https://localhost:8443/ecommerce/control/product?product_id=WG-
> A popup message will appear with the "Hi!".
> Thanks to Loris Nardo for the report.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10054) Product content management screen doesn't validate trusted users' input
[
https://issues.apache.org/jira/browse/OFBIZ-10054?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836110#comment-16836110
]
Jacques Le Roux commented on OFBIZ-10054:
-
Actually there are 2 ways used in OFBiz:
# To prevent saving stored XSS scriptings in DB we reject them before. This is
achieved with UtilCodec.checkStringForHtmlStrictNone(). [Most of the possible
XSS attacks rely on the less-than (<) and greater-than (>)
symbols|https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet]. But as
shown with the current issue [there are other types of possibles
attacks|https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers].
# Filter HTML texts and remove the unwanted parts. This is done using policies
with HtmlEncoder::sanitize. The default policy is not much permissive. Since
OFBIZ-10187 it's easier to create own more permissive policies. An [example
inspired by eBay is available
OOTB.|https://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project#Stage_2_-_Choosing_a_base_policy_file].
To be safer a [policy inspired by
Slashdot|https://github.com/andresriancho/owaspantisamy/blob/master/Java/antisamy-smoketest/src/main/webapp/WEB-INF/policies/antisamy-slashdot.xml]
could be used. Anyway it's up to you... I should note here though that
currently the AntiSamy API is not used in OFBiz. This is something that still
need to be clarified with the authors of OFBIZ-10187. Maybe it was easier for
them to adapt from XML to Java...
These 2 ways (reject or filter) are somehow discussed here:
[https://github.com/OWASP/java-html-sanitizer/blob/master/docs/html-validation.md]
Anyway, my proposition of using HtmlEncoder::sanitize inside
UtilCodec.checkStringForHtmlStrictNone() was wrong. Because they don't achieve
the same goal. One rejects, the other modifies, with the hope to make the
result safer (can't be 100% guaranteed).
Greg's solution don't work either for the same reason. With
UtilCodec.checkStringForHtmlStrictNone(), we need to reject not change.
I have committed a solution which rejects any js event in:
trunk r1858965
R18 r1858966
R17 r1858967
R16 r1858969
According to https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
there are 2 other types of cases which are not covered by rejecting less-than
(<) and greater-than (>) symbols:
#
[US-ASCII_encoding|https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding]
# Flash
As I commented in code for:
# All our Tomcat connectors use UTF-8, so not a problem
# We don't care about Flash now rather deprecated in last versions of major
browsers. And actually we don't use Flash OOTB at all
> Product content management screen doesn't validate trusted users' input
> ---
>
> Key: OFBIZ-10054
> URL: https://issues.apache.org/jira/browse/OFBIZ-10054
> Project: OFBiz
> Issue Type: Improvement
> Components: product
>Affects Versions: Trunk, Release Branch 16.11
>Reporter: Jacopo Cappellato
>Assignee: Jacques Le Roux
>Priority: Major
>
> Steps to recreate:
> 1) go to (authenticate with admin/ofbiz):
> https://localhost:8443/catalog/control/EditProductContent?productId=WG-
> 2) set the content of the field labeled "Large Image" to:
> non_existent.foo" onerror="alert('Hi!');
> 3) visit the url:
> https://localhost:8443/ecommerce/control/product?product_id=WG-
> A popup message will appear with the "Hi!".
> Thanks to Loris Nardo for the report.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Closed] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-10187.
---
Resolution: Fixed
Fix Version/s: 16.11.06
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 16.11.06, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16836109#comment-16836109
]
Jacques Le Roux commented on OFBIZ-10187:
-
As I needed the fix for OFBIZ-10054, I backported it using
[^OFBIZ-10187_Sanitizer_16.11.patch] in
R16 r1858968
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (OFBIZ-11015) Remove useless ‘UtilMisc#makeSetWritable’
[ https://issues.apache.org/jira/browse/OFBIZ-11015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mathieu Lirzin updated OFBIZ-11015: --- Summary: Remove useless ‘UtilMisc#makeSetWritable’ (was: Remove useless ‘StringUtil#makeSetWritable’) > Remove useless ‘UtilMisc#makeSetWritable’ > - > > Key: OFBIZ-11015 > URL: https://issues.apache.org/jira/browse/OFBIZ-11015 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Mathieu Lirzin >Assignee: Mathieu Lirzin >Priority: Minor > Fix For: Upcoming Branch > > Attachments: OFBIZ-11015_Remove-useless-UtilMisc-makeSetWritable.patch > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11015) Remove useless ‘StringUtil#makeSetWritable’
[ https://issues.apache.org/jira/browse/OFBIZ-11015?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mathieu Lirzin updated OFBIZ-11015: --- Attachment: OFBIZ-11015_Remove-useless-UtilMisc-makeSetWritable.patch > Remove useless ‘StringUtil#makeSetWritable’ > --- > > Key: OFBIZ-11015 > URL: https://issues.apache.org/jira/browse/OFBIZ-11015 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Mathieu Lirzin >Assignee: Mathieu Lirzin >Priority: Minor > Attachments: OFBIZ-11015_Remove-useless-UtilMisc-makeSetWritable.patch > > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11015) Remove useless ‘StringUtil#makeSetWritable’
Mathieu Lirzin created OFBIZ-11015: -- Summary: Remove useless ‘StringUtil#makeSetWritable’ Key: OFBIZ-11015 URL: https://issues.apache.org/jira/browse/OFBIZ-11015 Project: OFBiz Issue Type: Improvement Components: framework Affects Versions: Trunk Reporter: Mathieu Lirzin Assignee: Mathieu Lirzin -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11014) StringUtil cleanup
Mathieu Lirzin created OFBIZ-11014:
--
Summary: StringUtil cleanup
Key: OFBIZ-11014
URL: https://issues.apache.org/jira/browse/OFBIZ-11014
Project: OFBiz
Issue Type: Improvement
Components: framework
Affects Versions: Trunk
Reporter: Mathieu Lirzin
Assignee: Mathieu Lirzin
{{StringUtil}} contains stuff that is not useful with recent version of Java.
For example the {{StringUtil#split}} method could be replaced by the
{{String#split}} method. As a consequence {{StringUtil}} should be cleaned up.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[
https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835762#comment-16835762
]
Mathieu Lirzin commented on OFBIZ-10187:
I have applied
[^OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch] :
Committed revision 1858933 on Trunk
Committed revision 1858934 on release18.12
Committed revision 1858935 on release17.12
Thanks Jacques for sharing your opinion.
> OWASP sanitizer breaks proper rendering of HTML code
>
>
> Key: OFBIZ-10187
> URL: https://issues.apache.org/jira/browse/OFBIZ-10187
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
>Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch
> 18.12
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Critical
> Labels: backport-needed
> Fix For: 17.12.01, 18.12.01
>
> Attachments:
> OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch,
> OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch,
> OFBIZ-10187_Sanitizer_New.patch
>
>
> The current implementation of the sanitizer breaks the proper rendering of
> html code. In our case, class attributes are stripped from the html content.
> Example:
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> will be rendered to
> {code:java}
>
> src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg"
> alt="" />
>
>
> Lorem ipsum dolor sit amet
> At vero eos et accusam et justo
>
> Lorem ipsum dolor sit amet, consetetur
> sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea
> takimata sanctus est Lorem ipsum dolor sit amet.
>
> href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen
>
>
> {code}
> I do not see any reason to not allow class attributes in html code. There
> might be other problems with these rules but this is a showstopper.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-5303) Attic defunct 'iDeal' code
[ https://issues.apache.org/jira/browse/OFBIZ-5303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835687#comment-16835687 ] Jacques Le Roux commented on OFBIZ-5303: Thanks Pierre > Attic defunct 'iDeal' code > -- > > Key: OFBIZ-5303 > URL: https://issues.apache.org/jira/browse/OFBIZ-5303 > Project: OFBiz > Issue Type: Improvement > Components: accounting, ecommerce, order, product >Affects Versions: SlimDown, Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Fix For: Upcoming Branch > > > Currently we have multiple payment processors (e.g. worldpay and iDeal) > integrated in the Accounting component. > However, in order to reduce to basic functionality in the standard > applications/components and to be in sync with other solutions that use > third-party apps, these should be moved out of the basic applications. > Not only does that reduce maintenance on and resource consumption by the > basic applications, but it also gives end-users and implementers a choice > regarding the processor(s). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Resolved] (OFBIZ-11004) Add missing ‘synchronized’ modifier
[ https://issues.apache.org/jira/browse/OFBIZ-11004?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mathieu Lirzin resolved OFBIZ-11004. Resolution: Fixed Fix Version/s: Release Branch 16.11 Release Branch 18.12 Release Branch 17.12 Committed in revision 1858928 on release18.12 Committed in revision 1858929 on release17.12 Committed in revision 1858930 on release16.11 Thank you Jacques for confirming that this preventive fix should be backported. > Add missing ‘synchronized’ modifier > --- > > Key: OFBIZ-11004 > URL: https://issues.apache.org/jira/browse/OFBIZ-11004 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Mathieu Lirzin >Assignee: Mathieu Lirzin >Priority: Major > Fix For: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12, Release Branch 16.11 > > Attachments: OFBIZ-11004_Add-missing-synchronized-modifier.patch > > > Overidding a synchronized method with a non-synchronized one can > introduce potential runtime concurrency bugs. Since > ‘ExtendedProperties#loadFromXML’ is overridding > ‘Propertiers#loadFromXML’ which is synchronized, it is safer to mark > it as synchonized. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835676#comment-16835676 ] Jacques Le Roux edited comment on OFBIZ-11009 at 5/8/19 3:17 PM: - Thanks Ingo, I have to re-read the whole thread but it seems we should revert for this case (only). I'll do ASAP... BTW there are maybe other such cases. Not sure yet how to check that... was (Author: jacques.le.roux): Thanks Ingo, I have to re-read the whole thread but it seems we should revert for this case (only). I'll do ASAP... > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835676#comment-16835676 ] Jacques Le Roux commented on OFBIZ-11009: - Thanks Ingo, I have to re-read the whole thread but it seems we should revert for this case (only). I'll do ASAP... > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835518#comment-16835518 ] Jacques Le Roux edited comment on OFBIZ-11009 at 5/8/19 3:13 PM: - Hi Jacques, there was a change made in OFBIZ-9997: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam With the current implementation the form needs those parameters. Is it save to revert it for this request or is there a deeper strategy behind it that I have not identified by now? was (Author: iwolf): Hi Jacques, there was a change made in ofbiz-9997: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam With the current implementation the form needs those parameters. Is it save to revert it for this request or is there a deeper strategy behind it that I have not identified by now? > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835518#comment-16835518 ] Ingo Wolfmayr commented on OFBIZ-11009: --- Hi Jacques, there was a change made in ofbiz-9997: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam With the current implementation the form needs those parameters. Is it save to revert it for this request or is there a deeper strategy behind it that I have not identified by now? > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11013) Scrum parties don't have partyTypeId set
Pierre Smits created OFBIZ-11013: Summary: Scrum parties don't have partyTypeId set Key: OFBIZ-11013 URL: https://issues.apache.org/jira/browse/OFBIZ-11013 Project: OFBiz Issue Type: Bug Components: scrum Affects Versions: Release Branch 16.11, Release Branch 15.12, Trunk, Release Branch 14.12, Release Branch 13.07, Release Branch 17.12, Release Branch 18.12 Reporter: Pierre Smits -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11012) Documentation: SalesInvoiceItemStarSchema Design Updates
[ https://issues.apache.org/jira/browse/OFBIZ-11012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11012: - Affects Version/s: Release Branch 18.12 Release Branch 17.12 > Documentation: SalesInvoiceItemStarSchema Design Updates > > > Key: OFBIZ-11012 > URL: https://issues.apache.org/jira/browse/OFBIZ-11012 > Project: OFBiz > Issue Type: Task > Components: bi >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Swapnil Shah >Priority: Major > Labels: birt, dwh > > Update the documentation when the entity has changed -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11012) Documentation: SalesInvoiceItemStarSchema Design Updates
[ https://issues.apache.org/jira/browse/OFBIZ-11012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11012: - Affects Version/s: Trunk > Documentation: SalesInvoiceItemStarSchema Design Updates > > > Key: OFBIZ-11012 > URL: https://issues.apache.org/jira/browse/OFBIZ-11012 > Project: OFBiz > Issue Type: Task > Components: bi >Affects Versions: Trunk >Reporter: Swapnil Shah >Priority: Major > Labels: birt, dwh > > Update the documentation when the entity has changed -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11012) Documentation: SalesInvoiceItemStarSchema Design Updates
[ https://issues.apache.org/jira/browse/OFBIZ-11012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11012: - Description: Update the documentation when the entity has changed > Documentation: SalesInvoiceItemStarSchema Design Updates > > > Key: OFBIZ-11012 > URL: https://issues.apache.org/jira/browse/OFBIZ-11012 > Project: OFBiz > Issue Type: Task > Components: bi >Reporter: Swapnil Shah >Priority: Major > Labels: birt, dwh > > Update the documentation when the entity has changed -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11012) Documentation: SalesInvoiceItemStarSchema Design Updates
Swapnil Shah created OFBIZ-11012: Summary: Documentation: SalesInvoiceItemStarSchema Design Updates Key: OFBIZ-11012 URL: https://issues.apache.org/jira/browse/OFBIZ-11012 Project: OFBiz Issue Type: Bug Components: bi Reporter: Swapnil Shah -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11012) Documentation: SalesInvoiceItemStarSchema Design Updates
[ https://issues.apache.org/jira/browse/OFBIZ-11012?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Swapnil Shah updated OFBIZ-11012: - Issue Type: Task (was: Bug) > Documentation: SalesInvoiceItemStarSchema Design Updates > > > Key: OFBIZ-11012 > URL: https://issues.apache.org/jira/browse/OFBIZ-11012 > Project: OFBiz > Issue Type: Task > Components: bi >Reporter: Swapnil Shah >Priority: Major > Labels: birt, dwh > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835471#comment-16835471 ] Ingo Wolfmayr commented on OFBIZ-11009: --- Hi Jacques, I will look into it. > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-5303) Attic defunct 'iDeal' code
[ https://issues.apache.org/jira/browse/OFBIZ-5303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835450#comment-16835450 ] Pierre Smits commented on OFBIZ-5303: - Jacques, I have created a sub-task regarding the updating of the documentation. However, currently my priorities are in such a way that this is not high on my list. I will get to it when I get to it. Otherwise, when this sub-task is regarded as important by another contributor, s/he can assign her/himself to it and work the ticket. > Attic defunct 'iDeal' code > -- > > Key: OFBIZ-5303 > URL: https://issues.apache.org/jira/browse/OFBIZ-5303 > Project: OFBiz > Issue Type: Improvement > Components: accounting, ecommerce, order, product >Affects Versions: SlimDown, Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Fix For: Upcoming Branch > > > Currently we have multiple payment processors (e.g. worldpay and iDeal) > integrated in the Accounting component. > However, in order to reduce to basic functionality in the standard > applications/components and to be in sync with other solutions that use > third-party apps, these should be moved out of the basic applications. > Not only does that reduce maintenance on and resource consumption by the > basic applications, but it also gives end-users and implementers a choice > regarding the processor(s). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11011) Update documentation regarding IDEAL changes
Pierre Smits created OFBIZ-11011: Summary: Update documentation regarding IDEAL changes Key: OFBIZ-11011 URL: https://issues.apache.org/jira/browse/OFBIZ-11011 Project: OFBiz Issue Type: Sub-task Reporter: Pierre Smits update DATAMODEL_CHANGES.md and wiki page -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-5303) Attic defunct 'iDeal' code
[ https://issues.apache.org/jira/browse/OFBIZ-5303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835424#comment-16835424 ] Jacques Le Roux commented on OFBIZ-5303: Hého Pierre, nothing to say here? > Attic defunct 'iDeal' code > -- > > Key: OFBIZ-5303 > URL: https://issues.apache.org/jira/browse/OFBIZ-5303 > Project: OFBiz > Issue Type: Improvement > Components: accounting, ecommerce, order, product >Affects Versions: SlimDown, Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Fix For: Upcoming Branch > > > Currently we have multiple payment processors (e.g. worldpay and iDeal) > integrated in the Accounting component. > However, in order to reduce to basic functionality in the standard > applications/components and to be in sync with other solutions that use > third-party apps, these should be moved out of the basic applications. > Not only does that reduce maintenance on and resource consumption by the > basic applications, but it also gives end-users and implementers a choice > regarding the processor(s). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11009) Update invoice item looses invoice context
[ https://issues.apache.org/jira/browse/OFBIZ-11009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835393#comment-16835393 ] Jacques Le Roux commented on OFBIZ-11009: - Hi Ingo, Will you provide a patch? > Update invoice item looses invoice context > -- > > Key: OFBIZ-11009 > URL: https://issues.apache.org/jira/browse/OFBIZ-11009 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Ingo Wolfmayr >Priority: Major > > When clicking the "update" button on an invoice item the context to the > invoice (invoiceId) is lost. The result is an empty form to add a new invoice > item without invoice context. > GoTo: Accounting --> Invoices --> Select Invoice --> Tab Items --> Press > update button on invoice item -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-9153) webpos can not check out in ofbiz 16.11.01 and also in16.11 Release Branch Demo
[ https://issues.apache.org/jira/browse/OFBIZ-9153?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-9153. -- Resolution: Cannot Reproduce I opened OFBIZ-11010 for sequel > webpos can not check out in ofbiz 16.11.01 and also in16.11 Release Branch > Demo > --- > > Key: OFBIZ-9153 > URL: https://issues.apache.org/jira/browse/OFBIZ-9153 > Project: OFBiz > Issue Type: Bug > Components: webpos >Affects Versions: 16.11.01 >Reporter: 李浩 >Assignee: Jacques Le Roux >Priority: Major > > in Keyboard Shortcuts's"F7 PAY BY CC > " > is not credit card pay but actualy is checkout and insert order. > F8 CHECKOUT actualy just focus on product amount. > If we checkout ,will encount an error"INSERT on table 'ORDER_HEADER' caused a > violation of foreign key constraint 'ORDER_HDR_SCENUM' for key > (POS_SALES_CHANNEL)."background > the reason is enum_id column of ofbiz.ENUMERATION table does not contain the > data "POS_SALES_CHANNEL". > so now webpos demo can not check out and create order. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11010) Touch F8 in webpos does not work and generate an error
Jacques Le Roux created OFBIZ-11010:
---
Summary: Touch F8 in webpos does not work and generate an error
Key: OFBIZ-11010
URL: https://issues.apache.org/jira/browse/OFBIZ-11010
Project: OFBiz
Issue Type: Bug
Components: webpos
Affects Versions: Release Branch 16.11, Trunk, Release Branch 17.12,
Release Branch 18.12
Reporter: Jacques Le Roux
While working on OFBIZ-9153 I could not reproduce the same error either in R16
or trunk but got:
{noformat}
2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |GenericDelegator
|E| Failure in create operation for entity [OrderHeader]:
org.apache.ofbiz.entity.GenericEntityException: Error while inserting:
[GenericEntity:OrderHeader][agr
eementId,null()][billingAccountId,null()][createdBy,admin(java.lang.String)][createdStamp,2019-04-30
12:20:50.181(java.sql.Timestamp)][createdTxStamp,2019-04-30
12:20:49.945(java.sql.Timestamp)][currencyUom,USD(java.lang.String)][entryDa
te,2019-04-30
12:20:50.04(java.sql.Timestamp)][grandTotal,2974.99000(java.math.BigDecimal)][invoicePerShipment,Y(java.lang.String)][lastUpdatedStamp,2019-04-30
12:20:50.181(java.sql.Timestamp)][lastUpdatedTxStamp,2019-04-30 12:20:49.945(
java.sql.Timestamp)][needsInventoryIssuance,Y(java.lang.String)][orderDate,2019-04-30
12:20:50.04(java.sql.Timestamp)][orderId,RSCO10050(java.lang.String)][orderName,null()][orderTypeId,SALES_ORDER(java.lang.String)][originFacilityId,MyR
etailStore(java.lang.String)][productStoreId,9100(java.lang.String)][salesChannelEnumId,POS_SALES_CHANNEL(java.lang.String)][statusId,ORDER_CREATED(java.lang.String)][terminalId,pos-1(java.lang.String)][transactionId,10010(java.lang.Stri
ng)] (SQL Exception while executing the following:INSERT INTO
OFBIZ.ORDER_HEADER (ORDER_ID, ORDER_TYPE_ID, ORDER_NAME, EXTERNAL_ID,
SALES_CHANNEL_ENUM_ID, ORDER_DATE, PRIORITY, ENTRY_DATE,
PICK_SHEET_PRINTED_DATE, VISIT_ID, STATUS_ID, CR
EATED_BY, FIRST_ATTEMPT_ORDER_ID, CURRENCY_UOM, SYNC_STATUS_ID,
BILLING_ACCOUNT_ID, ORIGIN_FACILITY_ID, WEB_SITE_ID, PRODUCT_STORE_ID,
AGREEMENT_ID, TERMINAL_ID, TRANSACTION_ID, AUTO_ORDER_SHOPPING_LIST_ID,
NEEDS_INVENTORY_ISSUANCE, IS_R
USH_ORDER, INTERNAL_CODE, REMAINING_SUB_TOTAL, GRAND_TOTAL, IS_VIEWED,
INVOICE_PER_SHIPMENT, LAST_UPDATED_STAMP, LAST_UPDATED_TX_STAMP, CREATED_STAMP,
CREATED_TX_STAMP) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?,
?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) (INSERT on table 'ORDER_HEADER'
caused a violation of foreign key constraint 'ORDER_HDR_SCENUM' for key
(POS_SALES_CHANNEL). The statement has been rolled back.)). Rolling back
transaction.
2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |TransactionUtil
|I| Transaction rollback only not set, rollback only is already set.
2019-04-30 12:20:50,272 |jsse-nio-8443-exec-2 |OrderServices
|E| Cannot create OrderHeader entity; problems with insert
{noformat}
After selecting
# GZ-1005 '.NIT Gizmo ',
# paying cash using the F3 button (also there it's does not work very well if
you don't put the right amount from start, but that's another hair of the yak)
# checking out using the F8 button
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (OFBIZ-11008) ContactMechPurposeType entity should be extended with generic type entity fields
[ https://issues.apache.org/jira/browse/OFBIZ-11008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16835377#comment-16835377 ] Jacques Le Roux commented on OFBIZ-11008: - +1, makes sense, thanks Suraj > ContactMechPurposeType entity should be extended with generic type entity > fields > > > Key: OFBIZ-11008 > URL: https://issues.apache.org/jira/browse/OFBIZ-11008 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Suraj Khurana >Assignee: Suraj Khurana >Priority: Major > Attachments: OFBIZ-11008.patch > > > Currently, as many type entities have parentTypeId and hasTable fields > available, we should have it in ContactMechPurposeType entity as well to > maintain consistency. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
