Improved: Don't exclude properties and labels file from the Jar (OFBIZ-11161)
In order to have an independent deployable jar, we need to include the properties and labels inside the jar.
The properties and labels file was previously excluded from the jar because it was not possible to replace the compile time values by invalidating OFBiz caches which is convenient when developing OFBiz. It was then necessary to reconstruct the jar and restart OFBiz (See OFBIZ-8321 for more details).
With the recent improvment from revision 1865719 allowing to run OFBiz without building a jar, it is now possible to enable this cache invalidation by running both ‘gradle run’ in one shell and ‘gradlew --continuous classes’ in a separate shell. Doing so make the combination of editing the label files and clearing the caches use the new value defined in the source file.
Fixed: Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" (OFBIZ-4361)
Currently, any user (via ecommerce "Forget Your Password") has the ability to reset another users password, including "admin" without permission. By simply entering "admin" and clicking "Email Password", the following is displayed:
The following occurred: A new password has been created and sent to you. Please check your Email.
This now forces the user of the ERP to change their password. It is also possible to generate a dictionary attack against ofbiz because there is no capta code required. This is serious security risk.
I have modified the patch following comments I made in the Jira, notably Removed unused Java variables Removed a check in LoginEvents::forgotPassword which prevented to show error messages Changed fr and en SecurityExtPasswordSentToYou + SecurityExtThisEmailIsInResponseToYourRequestToHave labels + template PasswordEmail.ftl + loginservices.token_incorrect labels Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels Removed changes in general.properties I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)
There is still room for improvement. I'll discuss them on the Jira and dev ML. But this version is already strong enough to not wait that the patch is inapplicable!
Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess with some Gil's help, and all others for comments and ideas