Clone Tools
  • last updated 25 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Corrected some single line statements to fix checkstyle issues, also removed some remaining extra spaces from code to avoid checkstyle erros in applications component. (OFBIZ-11886)

  1. … 70 more files in changeset.
Improved: Corrected all checkstyle formatting issues: Line has trailing spaces in applications component. (OFBIZ-11880) Thanks Jacques for review.

  1. … 107 more files in changeset.
Improved: Corrected checkstyle formatting issues, 'is preceded/not preceded with whitespace' for applications component. (OFBIZ-11874) This fixes following checkstyle issues: '{' is not preceded with whitespace. '{' is not followed by whitespace. '}' is not followed by whitespace. '}' is not preceded with whitespace. 'typecast' is not followed by whitespace. 'try' is not followed by whitespace. ';' is preceded with whitespace.

  1. … 105 more files in changeset.
Improved: Merge identical catch blocks in single catch block(OFBIZ-11827)

In Java SE 7 and later, a single catch block can handle more than one type of exception. This feature can reduce code duplication and lessen the temptation to catch an overly broad exception.

Thanks: Jacques for the review.

  1. … 51 more files in changeset.
Improved: Changed resources with proper naming convention in all application components. (OFBIZ-11739) Also, made MODULE as private data member of class instead of public. This will reduce checkstlye issues. Thanks Jacques for review.

  1. … 221 more files in changeset.
Improved: replaces module by MODULE everywhere

  1. … 683 more files in changeset.
Implemented: Remove the user login security question.

(OFBIZ-11244)

Thanks Wiebke Pätzold for providing the patch.

  1. … 19 more files in changeset.
Implemented: Remove the user login security question.

(OFBIZ-11244)

Thanks Wiebke Pätzold for providing the patch.

  1. … 19 more files in changeset.
Fixed: updatePassword does not save optional parameter requirePasswordChange (OFBIZ-11320)

When changing the password of a User Login through the Party Manager the Require Password Change dropdown menu selection does not save the selected value. The corresponding process is missing from the LoginMapProcs.xml.

Thanks: Ingo Könemann for your contribution.

Fixed: updatePassword does not save optional parameter requirePasswordChange (OFBIZ-11320)

When changing the password of a User Login through the Party Manager the Require Password Change dropdown menu selection does not save the selected value. The corresponding process is missing from the LoginMapProcs.xml.

Thanks: Ingo Könemann for your contribution.

Fixed: updatePassword does not save optional parameter requirePasswordChange (OFBIZ-11320)

When changing the password of a User Login through the Party Manager the Require Password Change dropdown menu selection does not save the selected value. The corresponding process is missing from the LoginMapProcs.xml.

Thanks: Ingo Könemann for your contribution.

Reverted: "Improved: Use ‘depends-on’ attribute instead of “component-load.xml”" (OFBIZ-11296)

This reverts commit eeabe69813a1d9f42911dec70a912574046ef49b.

  1. … 24 more files in changeset.
Improved: Use ‘depends-on’ attribute instead of “component-load.xml” (OFBIZ-11296)

We currently have two ways to define component loading order. Either

by using ‘depends-on’ attribute in “component-config.xml” or by adding

a “component-load.xml” file at the root of a component directory.

“depends-on” is more flexible because it handles partial ordering when

“component-load.xml” defines a total order which is not necessarily

meaningful, so it is better to rely only “depends-on”.

This removes the usage of “component-load.xml” to use ‘depends-on’

instead. The dependency declarations correspond to the total ordering

previously defined but will need to be refined in the future to relax

unnecessary dependency declarations.

Only “framework/base/config/component-load.xml” which defines the

top-level directories order (framework, applications, themes and

plugins) is kept.

  1. … 24 more files in changeset.
Improved: Use website to generate links on email content (OFBIZ-4361) OFBiz contains a nice process to generate link through WebSite entity. Unfortunately when you send an email, the standard service didn't propage the website to the body content email, so we can't use it.

This improvement is needed on forgot password process to resolve the correct uri

and go back on good OFBiz component: where the user requested for a new password.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1867961 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
Improved: Use website to generate links on email content (OFBIZ-4361) OFBiz contains a nice process to generate link through WebSite entity. Unfortunately when you send an email, the standard service didn't propage the website to the body content email, so we can't use it.

This improvement is needed on forgot password process to resolve the correct uri

and go back on good OFBiz component: where the user requested for a new password.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1867960 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
Fixed: Any ecommerce user has the ability to reset anothers password (including admin) via 'Forget Your Password' (OFBIZ-4361) Trunk backport r1866478 and r1866518

Currently, any user (via ecommerce 'Forget Your Password') has the ability to

reset another users password, including 'admin' without permission.

By simply entering 'admin' and clicking 'Email Password', the following is

displayed:

The following occurred:

A new password has been created and sent to you. Please check your Email.

This now forces the user of the ERP to change their password.

It is also possible to generate a dictionary attack against ofbiz because there

is no capta code required. This is serious security risk.

I have modified the patch following comments I made in the Jira, notably

Removed unused Java variables

Removed a check in LoginEvents::forgotPassword which prevented to show error

messages

Changed fr and en SecurityExtPasswordSentToYou

+ SecurityExtThisEmailIsInResponseToYourRequestToHave labels

+ template PasswordEmail.ftl

+ loginservices.token_incorrect labels

Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels

Removed changes in general.properties

I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)

There is still room for improvement. I'll discuss them on the Jira and dev

ML. But this version is already strong enough to not wait that the patch is

inapplicable!

Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess

with some Gil's help, and all others for comments and ideas

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1867296 13f79535-47bb-0310-9956-ffa450edef68

  1. … 20 more files in changeset.
Fixed: Any ecommerce user has the ability to reset anothers password (including admin) via "Forget Your Password" (OFBIZ-4361)

Currently, any user (via ecommerce "Forget Your Password") has the ability to

reset another users password, including "admin" without permission.

By simply entering "admin" and clicking "Email Password", the following is

displayed:

The following occurred:

A new password has been created and sent to you. Please check your Email.

This now forces the user of the ERP to change their password.

It is also possible to generate a dictionary attack against ofbiz because there

is no capta code required. This is serious security risk.

I have modified the patch following comments I made in the Jira, notably

Removed unused Java variables

Removed a check in LoginEvents::forgotPassword which prevented to show error

messages

Changed fr and en SecurityExtPasswordSentToYou

+ SecurityExtThisEmailIsInResponseToYourRequestToHave labels

+ template PasswordEmail.ftl

+ loginservices.token_incorrect labels

Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels

Removed changes in general.properties

I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)

There is still room for improvement. I'll discuss them on the Jira and dev

ML. But this version is already strong enough to not wait that the patch is

inapplicable!

Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess

with some Gil's help, and all others for comments and ideas

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1866478 13f79535-47bb-0310-9956-ffa450edef68

  1. … 20 more files in changeset.
Improved: no functional change.

As annouced on dev ML removes unused code related to rememberMe.

I noticed this block of code in LoginEvents::storeLogin

if ("Y".equals(request.getParameter("rememberMe"))) {

setUsername(request, response);

}

It was added by Andrew long ago: https://markmail.org/message/dmqqxse65inh6amr

But rememberMe is never created in code so LoginEvents::setUsername is never used.

This removes this block of code and the 2 related methods below.

Also automatically clean imports

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1846221 13f79535-47bb-0310-9956-ffa450edef68

Improved : Remove all unnecessary boxing and unboxing in Java classes (OFBIZ-10504)

Thanks Taher, Jacques, Mathieu and Rishi for the review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1837577 13f79535-47bb-0310-9956-ffa450edef68

  1. … 175 more files in changeset.
Improved: Move all data in applications to the datamodel component. Removed unused files as no data in it. (OFBIZ-9501) Thanks Sourabh Jain for your contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1823182 13f79535-47bb-0310-9956-ffa450edef68

  1. … 46 more files in changeset.
Improved: Move all data in applications to the datamodel component. Moved demo data from accounting, commonext, content, humanres, manufacturing, marketing, order, party, product, workeffort components to datamodel component. Done changes in related data files and do entries accordingly. (OFBIZ-9501) Thanks to Sourabh Jain for your contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1823177 13f79535-47bb-0310-9956-ffa450edef68

  1. … 68 more files in changeset.
Improved: Handle service response effectively (OFBIZ-9981)

As per discussion on Dev ML:

==========================

Every service calling from java/groovy must handle errors by service util

methods such as isError, returnError etc.

and similarly in case of XML <call-service, there should be <check-error/>

to make sure service was executed successfully.

Apart from this, one suggestion is to include *Debug.logError* in

*ServiceUtil.returnProblem* so that in case of any error occurred and handled,

it will always be logged on the console.

==========================

jleroux: this is the applications part with some slight changes

Thanks: Suraj Khurana and Anushi Gupta

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1819730 13f79535-47bb-0310-9956-ffa450edef68

  1. … 68 more files in changeset.
Improved: Always check if debug verbose is on when using Debug.logVerbose() (OFBIZ-10052)

This completes r1818010, there were much more cases.

Also few tabs automatically replaced by spaces

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1818020 13f79535-47bb-0310-9956-ffa450edef68

  1. … 43 more files in changeset.
Improved: Always check if debug verbose is on when using Debug.logVerbose() (OFBIZ-10052)

We discussed on this point: http://markmail.org/message/mplvusuqn7oshl4v

and we agreed about better doing a check when using Debug.logVerbose().

I checked there are 300+ cases like that. Since it's an easy S/R

This implements it

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1818005 13f79535-47bb-0310-9956-ffa450edef68

  1. … 95 more files in changeset.
Improved: Replace all delegator findByAnd and findOne method calling by EntityQuery methods (OFBIZ-10029) Applied slightly modified patch, rearrange import properly, Thanks Suraj Khurana for your contribution

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1818003 13f79535-47bb-0310-9956-ffa450edef68

  1. … 45 more files in changeset.
Reverted r#1817989, workign fine locally, reverted for now will check and commit again

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1817998 13f79535-47bb-0310-9956-ffa450edef68

  1. … 45 more files in changeset.
Improved: Replace all delegator findByAnd and findOne method calling by EntityQuery methods (OFBIZ-10029) Applied slightly modified patch, rearrange import properly, Thanks Suraj Khurana for your contribution

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1817989 13f79535-47bb-0310-9956-ffa450edef68

  1. … 45 more files in changeset.
Improved: General refactoring and code improvements, package org.apache.ofbiz.securityext.login. (OFBIZ-9868)

Thanks Dennis Balkir for reporting and providing the patch.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1817745 13f79535-47bb-0310-9956-ffa450edef68

Improved: Fixing defects reported by FindBugs, package org.apache.ofbiz.securityext.login. (OFBIZ-9637)

No functional change, missed a compilation issue,

Thanks: Builbot :)

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1815195 13f79535-47bb-0310-9956-ffa450edef68

Improved: Fixing defects reported by FindBugs, package org.apache.ofbiz.securityext.login. (OFBIZ-9637)

No functional change.

I prefer to use URLEncoder.encode(reqParam, "UTF-8") rather than ESAPI HTML

encoder for 3 reasons:

* URLEncoder.encode() is sufficient to answer to HTTP response splitting using

Percent-encoding (aka URL encoding)

* Consistent and simpler code using basic Java

* Using "UTF-8" is (more than) recommended, see

https://docs.oracle.com/javase/8/docs/api/java/net/URLEncoder.html

I will check what using ESAPI HTML encoder entails. As JavaDOc says "Not doing

so may introduce incompatibilities." We have 30+ cases, they are maybe OK, but

we need to check...

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1815192 13f79535-47bb-0310-9956-ffa450edef68