On https://www.ofbiz.it/catalog/control/login/main?USERNAME=admin&PASSWORD=ofbiz the actual theme is bluelight so it seems to be possible to change the theme, but...how?
2009/3/10 Bruno Busco <bruno.bu...@gmail.com>: > Yes, I need to better dig into it but I supposed to be related to the > recent OFBiz strongest security constraint. > The strange thing (not strictly related to the security but to how > VisualThemes are set) is that even id this security issue is already > deployed to the demo server, there should be some way to change the > Visual Theme. > Until few minutes ago the backoffice was not working with admin/ofbiz > because the multiflex theme was selected (that is not supposed to be > used in the backoffice). > I logged in as demoadmin/ofbiz and found the bluelight theme in place > for this login. > Finally I logged in as flexadmin/ofbiz and manually deleted the > UserPreferences record that had admin stuck on multiflex. > Doing this now the demo is working again but...how people was able to > change the theme? > > I tried to use party/visits and webtools/logs in order to discover the > "hack" but no way. > I would be interesting to know how to track the user activity that > took to this. How to? > > -Bruno > > 2009/3/10 David E Jones <david.jo...@hotwaxmedia.com>: >> >> I did write some message and sent them to this list, one to propose these >> changes and another to communicate that they were in place... :) >> >> Of course, now that people are seeing the downside to security, maybe >> opinions won't be so in favor of it? ;) >> >> -David >> >> >> On Mar 10, 2009, at 4:28 PM, Adrian Crum wrote: >> >>> I encountered that error too. >>> >>> -Adrian >>> >>> Bruno Busco wrote: >>>> >>>> Hi, >>>> in the latest trunk (rev. 752277) I got this error whenever I try to >>>> change the VisualTheme in the backoffice: >>>> The Following Errors Occurred: >>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException: >>>> Found URL parameter [userPrefTypeId] passed to secure (https) >>>> request-map with uri [setUserPreference] with an event that calls >>>> service [setUserPreference]; this is not allowed for security reasons! >>>> -Bruno >> >> >