Hi, After our last change (the one being released) no stoken check is performed on tobasket action. You do not have to change any of your custom links on external pages. The action will work as before with the latest release.
Regards Tomas Liubinas From: [email protected] [mailto:[email protected]] On Behalf Of Marat Bedoev Sent: Tuesday, September 30, 2014 12:01 PM To: [email protected] Subject: Re: [oxid-dev-general] Security improvement: Dynamic security token check Hello, i'm a bit confused. We use tobasket-urls on external pages like bundle/product configurator, to add the products to basket. So, if a user who is already logged in the shop would click on the link on external page, the check would fail and nothing will happen? But users who are not logged in, will get the products added to their baskets? Thank you, Marat Von: [email protected]<mailto:[email protected]> [mailto:[email protected]] Im Auftrag von Tomas Liubinas Gesendet: Dienstag, 30. September 2014 10:13 An: [email protected]<mailto:[email protected]> Betreff: Re: [oxid-dev-general] Security improvement: Dynamic security token check Hi everyone, last week I informed about the stoken check to be expected, remember? I reach out today to let you know that we had to update the behavior before the present release: Basically the change is that stoken now is checked not for every form but only for forms intended for the logged in users. Adding the "tobasket" link could be perfromed by anonymous users therefore stoken is not checked and not validated in this case. As in our documentation we used the "tobasket" link as an example, we changed the documentation: http://wiki.oxidforge.org/Downloads/4.9.0_5.2.0#Dynamic_Group_assignment_security_improvement The note regarding not anymore supported features (adding to basket from 3rd party sites) was also removed. So no feature will be lost due to this security improvement. Sorry for any inconvenience, didn't want to confuse you just let you know in time about the changes... Regards Tomas Liubinas From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Joscha Krug | marmalade GmbH Sent: Thursday, September 25, 2014 5:10 PM To: [email protected]<mailto:[email protected]> Subject: Re: [oxid-dev-general] Security improvement: Dynamic security token check Hello Marco, Thanks for the information! Could someone from the devs explain the background? This will not be so easy to implement automaticly as i affects a lot of templates. Best regards, Joscha //--------- Joscha Krug marmalade GmbH www.marmalade.de<http://www.marmalade.de/> [email protected]<mailto:[email protected]> Leibnizstr.25 39104 Magdeburg GERMANY phone: +49 (0) 391 / 559 22 104 fax: +49 (0) 391 / 559 22 106 Am 25.09.2014 16:01, schrieb Marco Steinhaeuser: Hi everybody, just added an important section to the release notes of the upcoming OXID eShop version 4.9/5.2: The dynamic security token parameter check was expanded to all forms and action URLs. This is important for you to know especially if you're running functions like to_basket etc... Read more about it here: http://wiki.oxidforge.org/Downloads/4.9.0_5.2.0#Security_improvement:_Dynamic_security_token_check Please head back for any questions about it and the other stuff at this release notes page. Best regards! Marco _______________________________________________ dev-general mailing list [email protected]<mailto:[email protected]> http://dir.gmane.org/gmane.comp.php.oxid.general
_______________________________________________ dev-general mailing list [email protected] http://dir.gmane.org/gmane.comp.php.oxid.general
