ofbiz

Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1866786 is being indexed.

Improved: Remove redundant type declarations

Updated information about vulnerabilities fixed by 16.11.06.

Updated download page with new release information.

Improved: no functional change

Removes duplicated label

Improved: Document how to store the JWT secret key

(OFBIZ-10751)

Adds a link to OFBIZ-11187

"Applied fix from trunk for revision: 1865852"

------------------------------------------------------------------------

r1865852 | pawan | 2019-08-24 16:28:57 +0200 (sam. 24 août 2019) | 8 lignes

Fixed: Issue of unable to view a PartyContent on view profile page of a party

(OFBIZ-11038)

When click on view button img request will be hit along with contentName and imgId as a parameter. This request invokes serveImage event(DataEvents.java) which is deprecated now.

Instead of img request we can call stream request with contentId as a parameter that invokes serveObjectData event.

This will work as per the value of content-disposition-type (requestHandler.properties) i.e. attachement or inline

Thanks: Devanshu Vyas for reporting the issue and Humera Khan for the patch and Prachi Shastri for testing of the bug.

------------------------------------------------------------------------

"Applied fix from trunk framework for revision: 1865852"

------------------------------------------------------------------------

r1865852 | pawan | 2019-08-24 16:28:57 +0200 (sam. 24 août 2019) | 8 lignes

Fixed: Issue of unable to view a PartyContent on view profile page of a party

(OFBIZ-11038)

When click on view button img request will be hit along with contentName and imgId as a parameter. This request invokes serveImage event(DataEvents.java) which is deprecated now.

Instead of img request we can call stream request with contentId as a parameter that invokes serveObjectData event.

This will work as per the value of content-disposition-type (requestHandler.properties) i.e. attachement or inline

Thanks: Devanshu Vyas for reporting the issue and Humera Khan for the patch and Prachi Shastri for testing of the bug.

------------------------------------------------------------------------

?\026

"Applied fix from trunk for revision: 1865852"

------------------------------------------------------------------------

r1865852 | pawan | 2019-08-24 16:28:57 +0200 (sam. 24 août 2019) | 8 lignes

Fixed: Issue of unable to view a PartyContent on view profile page of a party

(OFBIZ-11038)

When click on view button img request will be hit along with contentName and imgId as a parameter. This request invokes serveImage event(DataEvents.java) which is deprecated now.

Instead of img request we can call stream request with contentId as a parameter that invokes serveObjectData event.

This will work as per the value of content-disposition-type (requestHandler.properties) i.e. attachement or inline

Thanks: Devanshu Vyas for reporting the issue and Humera Khan for the patch and Prachi Shastri for testing of the bug.

------------------------------------------------------------------------

Improved: updates DTD on site

Improved: Refactoring permission model call

(OFBIZ-7113)

As mentioned by Mathieu on dev ML uses rather a boolean than a token for

"require-new-transaction" and "return-error-on-failure"

Also some formatting while at it.

Implemented: Convert Picklist related CRUD services from simple to entity-auto

(OFBIZ-10636)

services converted:

* createPicklist

* updatePicklist

* deletePicklist

* createPicklistBin

* deletePicklistBin

* createPicklistItem

* updatePicklistItem

* updatePicklistItem

* deletePicklistItem

* createPicklistRole

* deletePicklistRole

Entity Picklist received to new field createdDate and lastModifiedDate

that needed to support automatic setting of createdByUserLogin natevily

by entity auto engine

Thanks to Pallavi Goyal for this issue and Suraj Khurana for the remind.

Improved: Manage itemStatusId and oldItemStatusId on entity-auto engine

(OFBIZ-11183)

Currently the entity auto engine manage the status change operation on an Entity

during an update, with analyse the field statusId as new status and compare with current

value through StatusValidChange system. If the change is validated, the previous status

is returned in oldStatusId service parameter.

Service definition example :

<service name=updateRequirement default-entity-name=Requirement engine=entity-auto invoke=update auth=true>

<description>Update an existing requirement</description>

<auto-attributes include=pk mode=IN optional=false/>

<auto-attributes include=nonpk mode=IN optional=true/>

<attribute name=oldStatusId type=String mode=OUT optional=true/>

</service>

I extend this process to an other standard status field: itemStatusId and oldItemStatusId, often present on item element

<service name=updatePicklistItem default-entity-name=PicklistItem engine=entity-auto invoke=update auth=true>

<description>Update PicklistItem</description>

<auto-attributes include=pk mode=IN optional=false/>

<auto-attributes include=nonpk mode=IN optional=true/>

<attribute name=oldItemStatusId type=String mode=OUT optional=true/>

</service>

To realize this, I convert all call on statusId and oldStatusId raw naming by a dynamic resolution field name resolution.

Like this the logical for statusId or itemStatusId are exactly the same

Improved: PicklistStatusHistory doesn't follow history entity status pattern

(OFBIZ-11182)

The entity PicklistStatusHistory record each status change realized on picklist.

It can't be convert to entity-auto easily because PicklistStatusHistory's fields pattern

doesn't follow same entities like ShipmentStatus and PartyStatus.

To solve this issue, I deprecate PicklistStatusHistory and move it to OldPicklistStatusHistory

and replace it by new entity PicklistStatus that can use natively with entityauto.

I added a new migration service migrateOldPicklistStatusHistoryToPickListStatus to forward all

picklist status history to new entity.

Improved: updates DTD on site

Improved: Document how to store the JWT secret key

(OFBIZ-10751)

Fixes a typo

Improved: Document how to store the JWT secret key

(OFBIZ-10751)

AS discussed in dev ML at https://markmail.org/message/dtjnu7fdi5noeagk and

previously in OFBIZ-9833 & OFBIZ-10307 we want to document how to store the

JWT secret key.

We agreed about keeping it as a property OOTB; and giving a link from the

security properties file to suggest how to better do it in production.

Fixed: Any ecommerce user has the ability to reset anothers password

(including admin) via "Forget Your Password"

(OFBIZ-4361)

Adds the security.token.key value and change the login.secret_key_string value

The security.token.key value is not mandatory for the "Forget Your Password"

feature but then only the username and password are used to create the JWT key.

Adds a reference for both properties to the

"Passwords and JWT (JSON Web Tokens) usage"

documentation to suggest users to choose the way to store these keys

Fix parenthesis syntax error in groovy

(OFBIZ-11186)

Thanks Samuel Trégouët for your contribution

Fix parenthesis syntax error in groovy

(OFBIZ-11186)

Thanks Samuel Trégouët for your contribution

Improved: no functional change

As discussed with Mathieu on dev ML change the location of meta-data files that

are maintained manually. They are distributed inside the JAR to allow the

‘ServiceLoader’ API [1] to find the classes implementing a particular interface

(corresponding to the file name) efficiently.

[1]https://docs.oracle.com/javase/8/docs/api/java/util/ServiceLoader.html

I spotted this with RAT, for base.util.test.UtilObjectTests$TestFactoryIntf

The other same files have ASL2 headers, I decided to not change that.

Fix parenthesis syntax error in groovy

(OFBIZ-11186)

Thanks Samuel Trégouët for your contribution

Improved: Get correct information history for Company Header in pdf document

(OFBIZ-11177)

CompanyHeader.groovy now use the rendered document date

as a reference to retrieve company data.

Thanks Carl Demus for your contribution

Add timezone support to recurring job temporal expressions

(OFBIZ-11035)

When try to define a temporal expression for a recurring job where the temporal expression should be evaluated using a timezone other than whatever the default timezone is for the system.

The use case is having a system that runs on UTC time but needs to send a report at 5 pm Pacific Time every day regardless of whether or not daylight savings is in effect.

To do this:

Added a new field to JobSandbox such as recurrenceTimeZone and modified code to use this timeZone if available.

Thanks: Scott Gray for reporting and Nicolas Malin for the review.

Implemented: Add a mechanism to prevent the usage of EntitySyncRemove

(OFBIZ-10008)

Complete the previous commit on revision 1835296 [1] to add mechanism to prevent

the usage of EntitySyncRemove also on function Delegator.removeByPrimaryKey

[1] https://svn.apache.org/viewvc?view=revision&revision=1835296

Implemented: Add a mechanism to prevent the usage of EntitySyncRemove

(OFBIZ-10008)

Complete the previous commit on revision 1835296 [1] to add mechanism to prevent

the usage of EntitySyncRemove also on function Delegator.removeByPrimaryKey

[1] https://svn.apache.org/viewvc?view=revision&revision=1835296

Fixed: Any ecommerce user has the ability to reset anothers password

(including admin) via "Forget Your Password"

(OFBIZ-4361)

Currently, any user (via ecommerce "Forget Your Password") has the ability to

reset another users password, including "admin" without permission.

By simply entering "admin" and clicking "Email Password", the following is

displayed:

The following occurred:

A new password has been created and sent to you. Please check your Email.

This now forces the user of the ERP to change their password.

It is also possible to generate a dictionary attack against ofbiz because there

is no capta code required. This is serious security risk.

I have modified the patch following comments I made in the Jira, notably

Removed unused Java variables

Removed a check in LoginEvents::forgotPassword which prevented to show error

messages

Changed fr and en SecurityExtPasswordSentToYou

+ SecurityExtThisEmailIsInResponseToYourRequestToHave labels

+ template PasswordEmail.ftl

+ loginservices.token_incorrect labels

Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels

Removed changes in general.properties

I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)

There is still room for improvement. I'll discuss them on the Jira and dev

ML. But this version is already strong enough to not wait that the patch is

inapplicable!

Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess

with some Gil's help, and all others for comments and ideas

  1. … 8 more files in changeset.
Updates README with correct init-gradle-wrapper filename for Unix-like OS

Improved: Change current view-link requirement to allow use of

entity-condition only in view-entities

(OFBIZ-11179)

To explain the subject, i will give an example encountered recently:

We used, for a customer project, a view with Agreement, Virtual and Variant

product entities and where the agreement can be attached to a virtual OR a

variant product.

So to make a view returning Variant Product, Virtual Product AND Agreement

informations, i could not create a view, as the key-map link is mandatory and

made it impossible.

I can not have an alternative relation to the same entity so we have to

duplicate member-entity and an alternative relation path.

The result is a complicated and ugly entity-view

I think this can have been much simpler if i could have done it directly

through the entity-condition (see the AGPA/PDTA view link in attached file

ExampleWithoutKeyMap.xml)

So the purpose is to add the possibility to create a view-link without key map,

if there is an entity-condition.

You can test by applying the given patch and add the entity view from attached

file ExampleWithoutKeyMap.xml

Thanks: Leila Mekika

Implemented: Service parameter default-value attribut can support flexible string

(OFBIZ-11180)

When you define a service with default-value, you can't set simple dynamic resolution for the value.

The improvement extend the default-value attribut on service parameter to support the FlexibleStringExpander syntax and realize the expand on service context.

Example :

<service name=createPicklist default-entity-name=Picklist engine=entity-auto invoke=create auth=true>

<auto-attributes include=pk mode=OUT optional=false/>

<auto-attributes include=nonpk mode=IN optional=true/>

<override name=statusId default-value=PICKLIST_INPUT/>

<override name=picklistDate default-value=/>

</service>

Thanks Jacques Le Roux and Swapnil M Mane for the review

Convert CommunicationEventServices mini lang to groovy, service createCommunicationEvent

(OFBIZ-9992) (OFBIZ-11164)

Last commit with literal translation for service createCommunicationEvent