-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Do
-
Affects Version/s: Release Branch 11.04, Release Branch 12.04, Release Branch 13.07, Trunk
-
Fix Version/s: None
-
Component/s: ALL APPLICATIONS
-
Labels:None
-
Sprint:Bug Crush Event - 21/2/2015
Currently there are some url present in application components with auth="false". So anyone can hit this urls and can access any resources without authorization.
For Example - https://demo-trunk.ofbiz.apache.org/content/control/ViewSimpleContent?dataResourceId=GZ-DIG
Currently, the above url does not need authorization (you can access any resource by changing the dataResourceId). I think all the url should be secure with auth="true" and https="true" in all the application components.