Details

    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Steps to reproduce:
      1) Login to ecommerce app
      2) View the profile
      3) Add some entries uder Tax Identification and Exemption
      4) Try to delete previously added value

      1. Zaznaczenie_001.png
        71 kB
        Michał Cukierman

        Issue Links

          Activity

          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Which revision of R9.04 are you using? Because it seems I can't reproduce, could you give more details, an URL would be perfect...

          Show
          jacques.le.roux Jacques Le Roux added a comment - Which revision of R9.04 are you using? Because it seems I can't reproduce, could you give more details, an URL would be perfect...
          Hide
          mcukierman Michał Cukierman added a comment - - edited

          Step 2: Go to:
          https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile
          Step 3: After adding tax info:
          https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo
          Step 4: try to remove previously added tax info (using X on the left)
          https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485

          Standard error message:

          "The Following Errors Occurred:
          Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..."

          I am logged in as admin

          Show
          mcukierman Michał Cukierman added a comment - - edited Step 2: Go to: https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile Step 3: After adding tax info: https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo Step 4: try to remove previously added tax info (using X on the left) https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485 Standard error message: "The Following Errors Occurred: Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..." I am logged in as admin
          Hide
          mcukierman Michał Cukierman added a comment -

          Screenshot with error on demo-stable host

          Show
          mcukierman Michał Cukierman added a comment - Screenshot with error on demo-stable host
          Hide
          jacques.le.roux Jacques Le Roux added a comment - - edited

          Hi Michał,

          This is not an easy fix, because, for security reason, we would need to have a form into a form and that does not work in HTML. This because the faulty snippet is rendered by "screens.render" in specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl

          <form method="post" action="<@ofbizUrl>createCustomerTaxAuthInfo</@ofbizUrl>" name="createCustTaxAuthInfoForm">
              <input type="hidden" name="partyId" value="${party.partyId}"/>
              ${screens.render("component://order/widget/ordermgr/OrderEntryOrderScreens.xml#customertaxinfo")}
              <input type="submit" value="${uiLabelMap.CommonAdd}" class="smallSubmit"/>
          </form>
          

          So we would have this patch

          ### Eclipse Workspace Patch 1.0
          #P release09.04
          Index: applications/order/webapp/ordermgr/entry/customertaxinfo.ftl
          ===================================================================
          --- applications/order/webapp/ordermgr/entry/customertaxinfo.ftl	(revision 1060759)
          +++ applications/order/webapp/ordermgr/entry/customertaxinfo.ftl	(working copy)
          @@ -19,7 +19,13 @@
           <#if partyTaxAuthInfoAndDetailList?exists>
               <#list partyTaxAuthInfoAndDetailList as partyTaxAuthInfoAndDetail>
                   <div>
          -            <a href="<@ofbizUrl>deleteCustomerTaxAuthInfo?partyId=${partyId}&amp;taxAuthPartyId=${partyTaxAuthInfoAndDetail.taxAuthPartyId}&amp;taxAuthGeoId=${partyTaxAuthInfoAndDetail.taxAuthGeoId}&amp;fromDate=${partyTaxAuthInfoAndDetail.fromDate}</@ofbizUrl>" class="buttontext">X</a>
          +          <form name="deleteCustomerTaxAuthInfo" id="deleteCustomerTaxAuthInfo" method="POST" action="<@ofbizUrl>deleteCustomerTaxAuthInfo</@ofbizUrl>">
          +            <input type="hidden" name="partyId" value="${partyId}">
          +            <input type="hidden" name="taxAuthPartyId" value="${partyTaxAuthInfoAndDetail.taxAuthPartyId}">
          +            <input type="hidden" name="taxAuthGeoId" value="${partyTaxAuthInfoAndDetail.taxAuthGeoId}">
          +            <input type="hidden" name="fromDate" value="${partyTaxAuthInfoAndDetail.fromDate}">
          +            <input type="submit" name="deleteCustomerTaxAuthInfo" class="buttontext" value="X">
          +          </form>
                       [${partyTaxAuthInfoAndDetail.geoCode}] ${partyTaxAuthInfoAndDetail.geoName} (${partyTaxAuthInfoAndDetail.groupName?if_exists}): ${uiLabelMap.PartyTaxId} [${partyTaxAuthInfoAndDetail.partyTaxId?default("N/A")}], ${uiLabelMap.PartyTaxIsExempt} [${partyTaxAuthInfoAndDetail.isExempt?default("N")}]
                   </div>
               </#list>
          

          And it would generate the form deleteCustomerTaxAuthInfo into the form createCustTaxAuthInfoForm and that can't work. So it needs to be replaced by calls from the calling screen. Can you handle the case and provide a patch?

          Thanks for your interest in OFBiz

          ================= FIXED TYPO =================

          Show
          jacques.le.roux Jacques Le Roux added a comment - - edited Hi Michał, This is not an easy fix, because, for security reason, we would need to have a form into a form and that does not work in HTML. This because the faulty snippet is rendered by "screens.render" in specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl <form method= "post" action= "<@ofbizUrl>createCustomerTaxAuthInfo</@ofbizUrl>" name= "createCustTaxAuthInfoForm" > <input type= "hidden" name= "partyId" value= "${party.partyId}" /> ${screens.render( "component: //order/widget/ordermgr/OrderEntryOrderScreens.xml#customertaxinfo" )} <input type= "submit" value= "${uiLabelMap.CommonAdd}" class= "smallSubmit" /> </form> So we would have this patch ### Eclipse Workspace Patch 1.0 #P release09.04 Index: applications/order/webapp/ordermgr/entry/customertaxinfo.ftl =================================================================== --- applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (revision 1060759) +++ applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (working copy) @@ -19,7 +19,13 @@ <# if partyTaxAuthInfoAndDetailList?exists> <#list partyTaxAuthInfoAndDetailList as partyTaxAuthInfoAndDetail> <div> - <a href= "<@ofbizUrl>deleteCustomerTaxAuthInfo?partyId=${partyId}&amp;taxAuthPartyId=${partyTaxAuthInfoAndDetail.taxAuthPartyId}&amp;taxAuthGeoId=${partyTaxAuthInfoAndDetail.taxAuthGeoId}&amp;fromDate=${partyTaxAuthInfoAndDetail.fromDate}</@ofbizUrl>" class= "buttontext" >X</a> + <form name= "deleteCustomerTaxAuthInfo" id= "deleteCustomerTaxAuthInfo" method= "POST" action= "<@ofbizUrl>deleteCustomerTaxAuthInfo</@ofbizUrl>" > + <input type= "hidden" name= "partyId" value= "${partyId}" > + <input type= "hidden" name= "taxAuthPartyId" value= "${partyTaxAuthInfoAndDetail.taxAuthPartyId}" > + <input type= "hidden" name= "taxAuthGeoId" value= "${partyTaxAuthInfoAndDetail.taxAuthGeoId}" > + <input type= "hidden" name= "fromDate" value= "${partyTaxAuthInfoAndDetail.fromDate}" > + <input type= "submit" name= "deleteCustomerTaxAuthInfo" class= "buttontext" value= "X" > + </form> [${partyTaxAuthInfoAndDetail.geoCode}] ${partyTaxAuthInfoAndDetail.geoName} (${partyTaxAuthInfoAndDetail.groupName?if_exists}): ${uiLabelMap.PartyTaxId} [${partyTaxAuthInfoAndDetail.partyTaxId? default ( "N/A" )}], ${uiLabelMap.PartyTaxIsExempt} [${partyTaxAuthInfoAndDetail.isExempt? default ( "N" )}] </div> </#list> And it would generate the form deleteCustomerTaxAuthInfo into the form createCustTaxAuthInfoForm and that can't work. So it needs to be replaced by calls from the calling screen. Can you handle the case and provide a patch? Thanks for your interest in OFBiz ================= FIXED TYPO =================
          Hide
          mcukierman Michał Cukierman added a comment -

          Hi Jacques,

          I will put this on my TODO list. Unfortunately I have two comming deadlines, so I will not be able to do it before March. I work on highly customized Ofbiz version and I am not able to provide you diff from my current codebase.

          Show
          mcukierman Michał Cukierman added a comment - Hi Jacques, I will put this on my TODO list. Unfortunately I have two comming deadlines, so I will not be able to do it before March. I work on highly customized Ofbiz version and I am not able to provide you diff from my current codebase.
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          Thanks Michał, no hurry anyway... Just let me know when you are ready, anyway I will receive from Jira, no worries...

          Show
          jacques.le.roux Jacques Le Roux added a comment - Thanks Michał, no hurry anyway... Just let me know when you are ready, anyway I will receive from Jira, no worries...
          Hide
          jacques.le.roux Jacques Le Roux added a comment -

          This had finally been fixed by removing the possibility of creating "Tax
          Identifications and Exemptions". Because users would actually need to have the ACCOUNTING_CREATE or ACCOUNTING_ADMIN permissions to do so (or higher admin permissions) and opening the accounting (or total) admin right to a customer seems not secure to me.

          Moreover the same exists in party and it needs admin rights in both places, so does not make sense in ecommerce.

          Done in
          trunk r1764158+r1764176+r1764178
          R15.12, R14.12, R13.07 r1764179

          Show
          jacques.le.roux Jacques Le Roux added a comment - This had finally been fixed by removing the possibility of creating "Tax Identifications and Exemptions". Because users would actually need to have the ACCOUNTING_CREATE or ACCOUNTING_ADMIN permissions to do so (or higher admin permissions) and opening the accounting (or total) admin right to a customer seems not secure to me. Moreover the same exists in party and it needs admin rights in both places, so does not make sense in ecommerce. Done in trunk r1764158+r1764176+r1764178 R15.12, R14.12, R13.07 r1764179

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              mcukierman Michał Cukierman
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile