ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From pprice <ppr...@churchforge.com>
Subject AJAX is unsecure. auth="true" not honored on controller.
Date Tue, 21 Oct 2014 00:47:28 GMT
We've been playing with the Practice application that can be downloaded from 
here
<https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Tutorial+-+A+Beginners+Development+Guide>
 
and we noticed that if you perform the request to create a user from
non-authenticated client, the Person record is still created.

The relevant entry from the controller.xml looks like:


The  check is honored in that the request returns the HTML for the login
page, but the createPracticePerson service is still invoked and the Person
record is created. I am still new to ofbiz, but this is not what I would
expect to happen, please help me understand what incorrect assumptions I am
making and how to secure an AJAX request like this.

Thanks!



--
View this message in context: http://ofbiz.135035.n4.nabble.com/AJAX-is-unsecure-auth-true-not-honored-on-controller-tp4657131.html
Sent from the OFBiz - User mailing list archive at Nabble.com.

Mime
View raw message