Clone Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 24 more files in changeset.
Improved: Purchase Invoice creation should be limited for parties with roleTypeId = SUPPLIER (OFBIZ-11024)

Added new LookupSupplier and used it.

Thanks: Pierre, Rohit, Jacques, Nicolas for your contribution.

  1. … 3 more files in changeset.
Improved: Converted all TimeEntry related CRUD services from simple to entity-auto (#99)

(OFBIZ-11624)

Also, removed unused services named unlinkInvoiceFromTimeEntry, whcih simply clears TimeEntry field, so used updateTimeEntry instead.

  1. … 5 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 24 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 24 more files in changeset.
Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
"Applied fix from trunk for revision: 1859033" ------------------------------------------------------------------------ r1859033 | jleroux | 2019-05-09 21:46:07 +0200 (jeu. 09 mai 2019) | 21 lignes

Fixed: Update invoice item looses invoice context

(OFBIZ-11009)

When clicking the "update" button on an invoice item the context to the

invoice (invoiceId) is lost. The result is an empty form to add a new invoice

item without invoice context.

Go to /accounting/control/listInvoiceItems?invoiceId=demo10001

Click on "update" below the existing items.

You will then be redirect to /accounting/control/listInvoiceItems

(without invoiceId). You will not see the invoice items as the context to the

invoice is gone.

jleroux: the same existed for budget items. As Ingo mentioned:

<<It was broken by OFBIZ-9997:

Replace request-redirect w/ no redirect-param attribute

by request-redirect-noparam>>

Now we need to check all changes done for OFBIZ-9997

Thanks: Ingo Wolfmayr for report and fix proposition

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859035 13f79535-47bb-0310-9956-ffa450edef68

"Applied fix from trunk for revision: 1859033" ------------------------------------------------------------------------ r1859033 | jleroux | 2019-05-09 21:46:07 +0200 (jeu. 09 mai 2019) | 21 lignes

Fixed: Update invoice item looses invoice context

(OFBIZ-11009)

When clicking the "update" button on an invoice item the context to the

invoice (invoiceId) is lost. The result is an empty form to add a new invoice

item without invoice context.

Go to /accounting/control/listInvoiceItems?invoiceId=demo10001

Click on "update" below the existing items.

You will then be redirect to /accounting/control/listInvoiceItems

(without invoiceId). You will not see the invoice items as the context to the

invoice is gone.

jleroux: the same existed for budget items. As Ingo mentioned:

<<It was broken by OFBIZ-9997:

Replace request-redirect w/ no redirect-param attribute

by request-redirect-noparam>>

Now we need to check all changes done for OFBIZ-9997

Thanks: Ingo Wolfmayr for report and fix proposition

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1859034 13f79535-47bb-0310-9956-ffa450edef68

Fixed: Update invoice item looses invoice context (OFBIZ-11009)

When clicking the "update" button on an invoice item the context to the

invoice (invoiceId) is lost. The result is an empty form to add a new invoice

item without invoice context.

Go to /accounting/control/listInvoiceItems?invoiceId=demo10001

Click on "update" below the existing items.

You will then be redirect to /accounting/control/listInvoiceItems

(without invoiceId). You will not see the invoice items as the context to the

invoice is gone.

jleroux: the same existed for budget items. As Ingo mentioned:

<<It was broken by OFBIZ-9997:

Replace request-redirect w/ no redirect-param attribute

by request-redirect-noparam>>

Now we need to check all changes done for OFBIZ-9997

Thanks: Ingo Wolfmayr for report and fix proposition

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1859033 13f79535-47bb-0310-9956-ffa450edef68

Improved: Have the ability to edit/remove terms of an invoice (OFBIZ-9290)

Currently the user has the ability to add terms to an invoice,

but doesn't have the functions to edit or remove existing terms.

jleroux: Based on Akshay Modak's patch, which was, mmm..., imperfect

Thanks: Pierre Smits for report, Akshay Modak for initial patch

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1857076 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1851071 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1851070 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Improved: Create patch for removal of IDEAL code in framework (OFBIZ-5444)

Removes all iDEAL specifics from the framework (actually only applications)

Thanks: Pierre Smits

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1846227 13f79535-47bb-0310-9956-ffa450edef68

  1. … 18 more files in changeset.
Improved: Consistency and Readability improvements for event tag (controller.xml). (OFBIZ-8965) Thanks Ankush Upadhyay for reporting and Devanshu Vyas for providing the updated patch.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1845086 13f79535-47bb-0310-9956-ffa450edef68

  1. … 6 more files in changeset.
Implemented: Add PartyPrefDocTypeTpl entity to link official template document to organisational party (OFBIZ-10186) With this entity we can link a customScreen with an organisational party for a document type like salesinvoice, product quote and so on. I added screen, form and menu to manage them on the organisation party configuration page accounting/control/ListCompanies Currently this isn't useful alone but needed for issues OFBIZ-10215, OFBIZ-10216, OFBIZ-10217 that will be completed soon

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1824436 13f79535-47bb-0310-9956-ffa450edef68

  1. … 7 more files in changeset.
Improved: Replace request-redirect w/ no redirect-param attribute by request-redirect-no-param (OFBIZ-9997)

There was a typo in r1816180 , this fixes it and adds plugins part

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1816183 13f79535-47bb-0310-9956-ffa450edef68

  1. … 8 more files in changeset.