Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: getJs unknown in Webpos (OFBIZ-11932)

R17 is not affected

Improved: Use Error.ftl everywhere it's not yet used (OFBIZ-11890)

The ecommerce and webpos controller missed an errorpage reference.

All other controllers either use directly the common-controller or indirectly by

including controller/s that include the common-controller

  1. … 1 more file in changeset.
Improved: User Error.ftl everywhere it's not yet used (OFBIZ-11890)

Those are no longer needed, replaced by error.ftl

  1. … 1 more file in changeset.
Improved: User Error.ftl everywhere it's not yet used (OFBIZ-11890)

At https://markmail.org/message/n76cchtriexxmgm7 I asked

Why having the ftl handlers only in webtools controller? BTW it makes the XSD

documentation awkward because it speaks about the ftl handlers being in

handlers-controller.xml

Why not using error.ftl in common-controller.xml instead of error.jsp?

Same question for plugins.

And answered

I believe we could change all that and definitely get rid of error.jsp

(error.ftl is already in all supported releases branches)

  1. … 1 more file in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

(cherry picked from commit 1158664ba37264fa6b8429033bad768175ff10d5)

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release18.12@1851073 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release17.12@1851072 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Improved: Themes can't be changed in webpos (OFBIZ-10767)

Following this discussion on dev ML I decided to test it on Ubuntu in my Windows

7 VM and it works there.

Just that you don't automatically get back to the webpos page when changing theme

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1850552 13f79535-47bb-0310-9956-ffa450edef68

Improved: Remove few request-map "edit" attributes in controllers (OFBIZ-10608)

As documented, currently

Reserved for future use (not used yet).

I checked, it's still not implemented. So no need to confuse people for now,

better to remove until it's really used.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1844744 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
Improved: Renames setLocaleFromBrowser to SetTimeZoneFromBrowser everywhere it's needed. (OFBIZ-10472)

FORGOT IT in WEBPOS!

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1840446 13f79535-47bb-0310-9956-ffa450edef68

Fixed: setLocaleFromBrowser request missing for webpos component (OFBIZ-9847)

I here revert r1812213 and simply add the required setLocaleFromBrowser

request-map, the include of the whole common-controller is not needed

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1812223 13f79535-47bb-0310-9956-ffa450edef68

Fixed: setLocaleFromBrowser request missing for webpos component (OFBIZ-9847)

Step to regenerate:

Login to webpos component (https://localhost:8443/webpos/control/main)

You get an error in logs

Thanks: Aditya

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1812213 13f79535-47bb-0310-9956-ffa450edef68

Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 24 more files in changeset.
Removed duplicated request/view mapping from plugins

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1805756 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
Improved: moved the logic/implementation of OFBiz legacy authentication tokens from the LoginWorker class to a new class named ExternalLoginKeysManager.

Improved Javadocs in the new class.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1775807 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
Implemented: removed the "controller" related logic, that is now provided by the new ControlFilter, from the ContextFilter; modified existing applications to use the two filters in a chain; removed from the other specialized filters all the logic that was duplicated or extended from ContextFilter.

A web application, in order to leverage the OFBiz framework, requires that a

series of objects are in its contexts (servlet context, session and request)

such as "delegator", "delegatorName", "dispatcher", "security" etc. etc...

This setup is performed by the logic contained in the servlet filter implemented

by the ContextFilter class.

The execution of this logic is required for the application to run properly.

However, before this commit, in the ContextFilter there was other logic, related

to access control and redirection rules (some of them performed in coordination

with the ControlServlet), making it difficult to deploy this filter in all the

web applications, especially the ones that implement special handling of paths.

In fact, this filter was deployed in most but not all the web application in the

OFBiz codebase: specifically it was not deployed in web applications that

require the execution of other filters (e.g. CatalogUrlFilter, etc...) like the

ones in the "ecommerce" and "solr" components.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1761304 13f79535-47bb-0310-9956-ffa450edef68

  1. … 25 more files in changeset.
(OFBIZ-6274) Renamed OFBiz artefacts from org.ofbiz.* to org.apache.ofbiz.*.Thanks to Taher for working on it.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1752920 13f79535-47bb-0310-9956-ffa450edef68

  1. … 635 more files in changeset.
Fixes a "typo" in last commit for "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

We used targetNamespace (should only be used in schema) instead of xsi:schemaLocation

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749634 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

This is the 2nd step: puts back the original names, so it will be transparent for remaining references in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749489 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061 by replacing xsd files references in xml files by -ns.xsd files and removing the concerned xsd files

This is a 1st step, in a 2nd I will put back the original names, so it will be transparent for remaining reference in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749488 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
(OFBIZ-7244) Relocate .groovy files in the specialpurpose/webpos component

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1747796 13f79535-47bb-0310-9956-ffa450edef68

    • -37
    • +0
    ./actions/catalog/SideDeepCategory.groovy
    • -50
    • +0
    ./actions/customer/EditAddress.groovy
    • -23
    • +0
    ./actions/manager/PaidOutAndIn.groovy
    • -47
    • +0
    ./actions/search/CustomerAddress.groovy
    • -28
    • +0
    ./actions/search/SearchSalesReps.groovy
  1. … 17 more files in changeset.
A big but straightforward commit for "Move minilang scripts from component://componentname/script/org/ofbiz to component://componentname/minilang" - https://issues.apache.org/jira/browse/OFBIZ-7267

I removed duplicate paths were componentname was uselessly repeated after component://componentname/script/org/ofbiz (projectmngr was the only one using there project instead)

I had few typos, easily fixed thanks to the tests. There could be still typos but they are unexpected and anyway no-brainer to fix

I'm still wondering about specialpurpose/example/minilang/README.txt.

I changed its content to

"The minilang directory is for static resources that are interpreted at run time rather than being compiled. This goes on the classpath, but does not get built or put into a JAR file."

not sure it makes any sense, I don't see how this relates to the classpath.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1747712 13f79535-47bb-0310-9956-ffa450edef68

  1. … 118 more files in changeset.
(OFBIZ-6981) Move groovy script under WEB-INF/actions for webpos.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1745567 13f79535-47bb-0310-9956-ffa450edef68

    • -0
    • +38
    ./actions/WebPosMenus.groovy
    • -0
    • +45
    ./actions/WebPosSetup.groovy
  1. … 4 more files in changeset.
[OFBIZ-7042] Fixed "Forgot your password" process for Web POS. On clicking "Forgot your password" link from Web POS login page, system was navigating to blank page.

Thanks Amardeep Singh Jhajj for reporting the issue and providing patch for the same.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1744041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 4 more files in changeset.