Yes, I need to better dig into it but I supposed to be related to the recent OFBiz strongest security constraint. The strange thing (not strictly related to the security but to how VisualThemes are set) is that even id this security issue is already deployed to the demo server, there should be some way to change the Visual Theme. Until few minutes ago the backoffice was not working with admin/ofbiz because the multiflex theme was selected (that is not supposed to be used in the backoffice). I logged in as demoadmin/ofbiz and found the bluelight theme in place for this login. Finally I logged in as flexadmin/ofbiz and manually deleted the UserPreferences record that had admin stuck on multiflex. Doing this now the demo is working again but...how people was able to change the theme?
I tried to use party/visits and webtools/logs in order to discover the "hack" but no way. I would be interesting to know how to track the user activity that took to this. How to? -Bruno 2009/3/10 David E Jones <david.jo...@hotwaxmedia.com>: > > I did write some message and sent them to this list, one to propose these > changes and another to communicate that they were in place... :) > > Of course, now that people are seeing the downside to security, maybe > opinions won't be so in favor of it? ;) > > -David > > > On Mar 10, 2009, at 4:28 PM, Adrian Crum wrote: > >> I encountered that error too. >> >> -Adrian >> >> Bruno Busco wrote: >>> >>> Hi, >>> in the latest trunk (rev. 752277) I got this error whenever I try to >>> change the VisualTheme in the backoffice: >>> The Following Errors Occurred: >>> Error calling event: org.ofbiz.webapp.event.EventHandlerException: >>> Found URL parameter [userPrefTypeId] passed to secure (https) >>> request-map with uri [setUserPreference] with an event that calls >>> service [setUserPreference]; this is not allowed for security reasons! >>> -Bruno > >