Hi Jacques, I think we can't make auth true for getAssociatedStateList, this will break the anon checkout flow.
Thanks & Regards -- Deepak Dixit ofbiz.apache.org On Sat, Mar 14, 2020 at 1:19 PM <jler...@apache.org> wrote: > This is an automated email from the ASF dual-hosted git repository. > > jleroux pushed a commit to branch trunk > in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git > > > The following commit(s) were added to refs/heads/trunk by this push: > new e72e134 Improved: "auth" should be true for all the request url > used for Application components > e72e134 is described below > > commit e72e1348c13f892cfbd3ffdb78f536c4e4aa6b68 > Author: Jacques Le Roux <jacques.le.r...@les7arts.com> > AuthorDate: Sat Mar 14 08:49:54 2020 +0100 > > Improved: "auth" should be true for all the request url used for > Application > components > > (OFBIZ-4956) > > Currently there are some URLs present in application components with > auth="false". So anyone can hit these URLs and access these resources > without > authorization. > > I think all the URLs should be secure with auth="true" > > Thanks: Amardeep Singh Jhajj for report and initial fix > --- > ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml > b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml > index 5f7031c..27a0383 100644 > --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml > +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml > @@ -1605,7 +1605,7 @@ under the License. > </request-map> > > <request-map uri="getAssociatedStateList"> > - <security https="true" auth="false"/> > + <security https="true" auth="true"/> > <event type="service" invoke="getAssociatedStateList"/> > <response name="success" type="request" value="json"/> > <response name="error" type="request" value="json"/> > >