Hi Jacques, Samuel, all, I think the security concerns raised are valid.
However we can look into adding an attribute when the url parameter check isn’t required. For example, <request-map … > <security https="true" auth=“true” allow-query-string-for-service-event=“true”/> … Regards, James On 2019/10/31 14:20:11, Jacques Le Roux <jacques.le.r...@les7arts.com> wrote: > Hi Samuel, > > You can go ahead. I became entangled with non ending issues while working on > this and this change will not change anything about those unrelated issues. > > Jacques > > Le 30/10/2019 à 17:01, Jacques Le Roux a écrit : > > Le 30/10/2019 à 15:34, Samuel a écrit : > >> Hi Jacques, > >> > >> On 27/10/2019 17:42, Jacques Le Roux wrote: > >> > >>> … So I have no problem removing this method... and closing OFBIZ-2330, > >>> maybe after "fixing" OFBIZ-9804... > >> > >> I'm not sure to get your point with OFBIZ-9804, if we simply remove > >> `checkSecureParameter` we fix this issue, don't we ? > >> > >> Samuel > >> > > Yes, kinda. I prefer to have all calls to updateContactListPartyNoUserLogin > > similar. Please wait a bit before I close OFBIZ-9804... > > > > Jacques > > > > >
