Actually, I'm starting to wonder if we should revert it and relax that
constraint. We have a lot of links that go to requests that call
services and pass parameters and that would need to be updated. For
sure they would be far more secure, but there is a bit of work to do
(I'm realizing now that I've looked into it more and soaked up the
implications a bit...). For example, most Delete/Remove/etc links are
this way. Now, for sure they aren't very secure as-is, but there are
quite a few to change (a form widget update can fix many of them
perhaps, but that is complicated for multi forms as the natural way
would be to do nested forms which are a nice fantasy but not supported
in the real world ;) ).
Anyway, I'm working on it, but it's a bit of a mess I've created with
this one...
-David
On Mar 10, 2009, at 4:43 PM, Adrian Crum wrote:
I don't have a problem with it. I wasn't sure what to do about it.
Your other reply was helpful.
-Adrian
David E Jones wrote:
I did write some message and sent them to this list, one to propose
these changes and another to communicate that they were in
place... :)
Of course, now that people are seeing the downside to security,
maybe opinions won't be so in favor of it? ;)
-David
On Mar 10, 2009, at 4:28 PM, Adrian Crum wrote:
I encountered that error too.
-Adrian
Bruno Busco wrote:
Hi,
in the latest trunk (rev. 752277) I got this error whenever I try
to
change the VisualTheme in the backoffice:
The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException:
Found URL parameter [userPrefTypeId] passed to secure (https)
request-map with uri [setUserPreference] with an event that calls
service [setUserPreference]; this is not allowed for security
reasons!
-Bruno
