You could try looking at the Visit and ServerHit records for the user
to get an idea of what may have done this.
What caused this is a good question... the database is supposed to be
cleaned out every day, and if it isn't working then something's up.
One possibility is that the theme was changed through an insecure URL
if there is one somewhere in some application, and that would work.
-David
On Mar 10, 2009, at 4:44 PM, Bruno Busco wrote:
Yes, I need to better dig into it but I supposed to be related to the
recent OFBiz strongest security constraint.
The strange thing (not strictly related to the security but to how
VisualThemes are set) is that even id this security issue is already
deployed to the demo server, there should be some way to change the
Visual Theme.
Until few minutes ago the backoffice was not working with admin/ofbiz
because the multiflex theme was selected (that is not supposed to be
used in the backoffice).
I logged in as demoadmin/ofbiz and found the bluelight theme in place
for this login.
Finally I logged in as flexadmin/ofbiz and manually deleted the
UserPreferences record that had admin stuck on multiflex.
Doing this now the demo is working again but...how people was able to
change the theme?
I tried to use party/visits and webtools/logs in order to discover the
"hack" but no way.
I would be interesting to know how to track the user activity that
took to this. How to?
-Bruno
2009/3/10 David E Jones <david.jo...@hotwaxmedia.com>:
I did write some message and sent them to this list, one to propose
these
changes and another to communicate that they were in place... :)
Of course, now that people are seeing the downside to security, maybe
opinions won't be so in favor of it? ;)
-David
On Mar 10, 2009, at 4:28 PM, Adrian Crum wrote:
I encountered that error too.
-Adrian
Bruno Busco wrote:
Hi,
in the latest trunk (rev. 752277) I got this error whenever I try
to
change the VisualTheme in the backoffice:
The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException:
Found URL parameter [userPrefTypeId] passed to secure (https)
request-map with uri [setUserPreference] with an event that calls
service [setUserPreference]; this is not allowed for security
reasons!
-Bruno