ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-4956) "auth" should be true for all the request url used for Application components.
Date Fri, 21 Apr 2017 10:03:04 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-4956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15978433#comment-15978433

Jacques Le Roux commented on OFBIZ-4956:

Hi Amardeep, what is the status here?

> "auth" should be true for all the request url used for Application components.
> ------------------------------------------------------------------------------
>                 Key: OFBIZ-4956
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-4956
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 11.04, Release Branch 12.04, Release Branch 13.07,
>            Reporter: Amardeep Singh Jhajj
>            Assignee: Amardeep Singh Jhajj
>         Attachments: OFBIZ-4956.patch, OFBIZ-4956-Release-10.04.patch, OFBIZ-4956-Release-11.04.patch
> Currently there are some url present in application components with auth="false". So
anyone can hit this urls and can access any resources without authorization. 
> For Example - https://demo-trunk.ofbiz.apache.org:8443/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
> Currently, the above url does not need authorization (you can access any resource by
changing the dataResourceId). I think all the url should be secure with auth="true" and https="true"
in all the application components. 

This message was sent by Atlassian JIRA

View raw message