Details

    • Type: Sub-task Sub-task
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: Release 09.04
    • Fix Version/s: None
    • Labels:
      None
    • Environment:

      Linux x64 Debian AMD64

      Description

      Steps to reproduce:
      1) Login to ecommerce app
      2) View the profile
      3) Add some entries uder Tax Identification and Exemption
      4) Try to delete previously added value

      1. Zaznaczenie_001.png
        71 kB
        Michał Cukierman

        Activity

        Michał Cukierman created issue -
        Hide
        Jacques Le Roux added a comment -

        Which revision of R9.04 are you using? Because it seems I can't reproduce, could you give more details, an URL would be perfect...

        Show
        Jacques Le Roux added a comment - Which revision of R9.04 are you using? Because it seems I can't reproduce, could you give more details, an URL would be perfect...
        Hide
        Michał Cukierman added a comment - - edited

        Step 2: Go to:
        https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile
        Step 3: After adding tax info:
        https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo
        Step 4: try to remove previously added tax info (using X on the left)
        https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485

        Standard error message:

        "The Following Errors Occurred:
        Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..."

        I am logged in as admin

        Show
        Michał Cukierman added a comment - - edited Step 2: Go to: https://demo-stable.ofbiz.apache.org/ecommerce/control/viewprofile Step 3: After adding tax info: https://demo-stable.ofbiz.apache.org/ecommerce/control/createCustomerTaxAuthInfo Step 4: try to remove previously added tax info (using X on the left) https://demo-stable.ofbiz.apache.org/ecommerce/control/deleteCustomerTaxAuthInfo?partyId=admin&taxAuthPartyId=TX_TAXMAN&taxAuthGeoId=TX&fromDate=2011-01-18%2021:06:46.485 Standard error message: "The Following Errors Occurred: Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [partyId] passed to secure (https) request-map with uri ..." I am logged in as admin
        Hide
        Michał Cukierman added a comment -

        Screenshot with error on demo-stable host

        Show
        Michał Cukierman added a comment - Screenshot with error on demo-stable host
        Michał Cukierman made changes -
        Field Original Value New Value
        Attachment Zaznaczenie_001.png [ 12468683 ]
        Hide
        Jacques Le Roux added a comment - - edited

        Hi Michał,

        This is not an easy fix, because, for security reason, we would need to have a form into a form and that does not work in HTML. This because the faulty snippet is rendered by "screens.render" in specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl

        <form method="post" action="<@ofbizUrl>createCustomerTaxAuthInfo</@ofbizUrl>" name="createCustTaxAuthInfoForm">
            <input type="hidden" name="partyId" value="${party.partyId}"/>
            ${screens.render("component://order/widget/ordermgr/OrderEntryOrderScreens.xml#customertaxinfo")}
            <input type="submit" value="${uiLabelMap.CommonAdd}" class="smallSubmit"/>
        </form>
        

        So we would have this patch

        ### Eclipse Workspace Patch 1.0
        #P release09.04
        Index: applications/order/webapp/ordermgr/entry/customertaxinfo.ftl
        ===================================================================
        --- applications/order/webapp/ordermgr/entry/customertaxinfo.ftl	(revision 1060759)
        +++ applications/order/webapp/ordermgr/entry/customertaxinfo.ftl	(working copy)
        @@ -19,7 +19,13 @@
         <#if partyTaxAuthInfoAndDetailList?exists>
             <#list partyTaxAuthInfoAndDetailList as partyTaxAuthInfoAndDetail>
                 <div>
        -            <a href="<@ofbizUrl>deleteCustomerTaxAuthInfo?partyId=${partyId}&amp;taxAuthPartyId=${partyTaxAuthInfoAndDetail.taxAuthPartyId}&amp;taxAuthGeoId=${partyTaxAuthInfoAndDetail.taxAuthGeoId}&amp;fromDate=${partyTaxAuthInfoAndDetail.fromDate}</@ofbizUrl>" class="buttontext">X</a>
        +          <form name="deleteCustomerTaxAuthInfo" id="deleteCustomerTaxAuthInfo" method="POST" action="<@ofbizUrl>deleteCustomerTaxAuthInfo</@ofbizUrl>">
        +            <input type="hidden" name="partyId" value="${partyId}">
        +            <input type="hidden" name="taxAuthPartyId" value="${partyTaxAuthInfoAndDetail.taxAuthPartyId}">
        +            <input type="hidden" name="taxAuthGeoId" value="${partyTaxAuthInfoAndDetail.taxAuthGeoId}">
        +            <input type="hidden" name="fromDate" value="${partyTaxAuthInfoAndDetail.fromDate}">
        +            <input type="submit" name="deleteCustomerTaxAuthInfo" class="buttontext" value="X">
        +          </form>
                     [${partyTaxAuthInfoAndDetail.geoCode}] ${partyTaxAuthInfoAndDetail.geoName} (${partyTaxAuthInfoAndDetail.groupName?if_exists}): ${uiLabelMap.PartyTaxId} [${partyTaxAuthInfoAndDetail.partyTaxId?default("N/A")}], ${uiLabelMap.PartyTaxIsExempt} [${partyTaxAuthInfoAndDetail.isExempt?default("N")}]
                 </div>
             </#list>
        

        And it would generate the form deleteCustomerTaxAuthInfo into the form createCustTaxAuthInfoForm and that can't work. So it needs to be replaced by calls from the calling screen. Can you handle the case and provide a patch?

        Thanks for your interest in OFBiz

        ================= FIXED TYPO =================

        Show
        Jacques Le Roux added a comment - - edited Hi Michał, This is not an easy fix, because, for security reason, we would need to have a form into a form and that does not work in HTML. This because the faulty snippet is rendered by "screens.render" in specialpurpose/ecommerce/webapp/ecommerce/customer/viewprofile.ftl <form method= "post" action= "<@ofbizUrl>createCustomerTaxAuthInfo</@ofbizUrl>" name= "createCustTaxAuthInfoForm" > <input type= "hidden" name= "partyId" value= "${party.partyId}" /> ${screens.render( "component: //order/widget/ordermgr/OrderEntryOrderScreens.xml#customertaxinfo" )} <input type= "submit" value= "${uiLabelMap.CommonAdd}" class= "smallSubmit" /> </form> So we would have this patch ### Eclipse Workspace Patch 1.0 #P release09.04 Index: applications/order/webapp/ordermgr/entry/customertaxinfo.ftl =================================================================== --- applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (revision 1060759) +++ applications/order/webapp/ordermgr/entry/customertaxinfo.ftl (working copy) @@ -19,7 +19,13 @@ <# if partyTaxAuthInfoAndDetailList?exists> <#list partyTaxAuthInfoAndDetailList as partyTaxAuthInfoAndDetail> <div> - <a href= "<@ofbizUrl>deleteCustomerTaxAuthInfo?partyId=${partyId}&amp;taxAuthPartyId=${partyTaxAuthInfoAndDetail.taxAuthPartyId}&amp;taxAuthGeoId=${partyTaxAuthInfoAndDetail.taxAuthGeoId}&amp;fromDate=${partyTaxAuthInfoAndDetail.fromDate}</@ofbizUrl>" class= "buttontext" >X</a> + <form name= "deleteCustomerTaxAuthInfo" id= "deleteCustomerTaxAuthInfo" method= "POST" action= "<@ofbizUrl>deleteCustomerTaxAuthInfo</@ofbizUrl>" > + <input type= "hidden" name= "partyId" value= "${partyId}" > + <input type= "hidden" name= "taxAuthPartyId" value= "${partyTaxAuthInfoAndDetail.taxAuthPartyId}" > + <input type= "hidden" name= "taxAuthGeoId" value= "${partyTaxAuthInfoAndDetail.taxAuthGeoId}" > + <input type= "hidden" name= "fromDate" value= "${partyTaxAuthInfoAndDetail.fromDate}" > + <input type= "submit" name= "deleteCustomerTaxAuthInfo" class= "buttontext" value= "X" > + </form> [${partyTaxAuthInfoAndDetail.geoCode}] ${partyTaxAuthInfoAndDetail.geoName} (${partyTaxAuthInfoAndDetail.groupName?if_exists}): ${uiLabelMap.PartyTaxId} [${partyTaxAuthInfoAndDetail.partyTaxId? default ( "N/A" )}], ${uiLabelMap.PartyTaxIsExempt} [${partyTaxAuthInfoAndDetail.isExempt? default ( "N" )}] </div> </#list> And it would generate the form deleteCustomerTaxAuthInfo into the form createCustTaxAuthInfoForm and that can't work. So it needs to be replaced by calls from the calling screen. Can you handle the case and provide a patch? Thanks for your interest in OFBiz ================= FIXED TYPO =================
        Hide
        Michał Cukierman added a comment -

        Hi Jacques,

        I will put this on my TODO list. Unfortunately I have two comming deadlines, so I will not be able to do it before March. I work on highly customized Ofbiz version and I am not able to provide you diff from my current codebase.

        Show
        Michał Cukierman added a comment - Hi Jacques, I will put this on my TODO list. Unfortunately I have two comming deadlines, so I will not be able to do it before March. I work on highly customized Ofbiz version and I am not able to provide you diff from my current codebase.
        Hide
        Jacques Le Roux added a comment -

        Thanks Michał, no hurry anyway... Just let me know when you are ready, anyway I will receive from Jira, no worries...

        Show
        Jacques Le Roux added a comment - Thanks Michał, no hurry anyway... Just let me know when you are ready, anyway I will receive from Jira, no worries...

          People

          • Assignee:
            Unassigned
            Reporter:
            Michał Cukierman
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development