This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/trunk by this push:
new e72e134 Improved: "auth" should be true for all the request url used
for Application components
e72e134 is described below
commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Sat Mar 14 08:49:54 2020 +0100
Improved: "auth" should be true for all the request url used for Application
components
(OFBIZ-4956)
Currently there are some URLs present in application components with
auth="false". So anyone can hit these URLs and access these resources
without
authorization.
I think all the URLs should be secure with auth="true"
Thanks: Amardeep Singh Jhajj for report and initial fix
---
ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 5f7031c..27a0383 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1605,7 +1605,7 @@ under the License.
</request-map>
<request-map uri="getAssociatedStateList">
- <security https="true" auth="false"/>
+ <security https="true" auth="true"/>
<event type="service" invoke="getAssociatedStateList"/>
<response name="success" type="request" value="json"/>
<response name="error" type="request" value="json"/>
