David, I think I have found how it was possible to change the VisualTheme even with the security issue we had on the demo at that time. It also explains how an ecommerce theme was applied on the backoffice. It should have be done using the ListPreferences form that I have now fixed in rev. 754639.
-Bruno 2009/3/11 David E Jones <david.jo...@hotwaxmedia.com>: > > You could try looking at the Visit and ServerHit records for the user to get > an idea of what may have done this. > > What caused this is a good question... the database is supposed to be > cleaned out every day, and if it isn't working then something's up. One > possibility is that the theme was changed through an insecure URL if there > is one somewhere in some application, and that would work. > > -David > > > On Mar 10, 2009, at 4:44 PM, Bruno Busco wrote: > >> Yes, I need to better dig into it but I supposed to be related to the >> recent OFBiz strongest security constraint. >> The strange thing (not strictly related to the security but to how >> VisualThemes are set) is that even id this security issue is already >> deployed to the demo server, there should be some way to change the >> Visual Theme. >> Until few minutes ago the backoffice was not working with admin/ofbiz >> because the multiflex theme was selected (that is not supposed to be >> used in the backoffice). >> I logged in as demoadmin/ofbiz and found the bluelight theme in place >> for this login. >> Finally I logged in as flexadmin/ofbiz and manually deleted the >> UserPreferences record that had admin stuck on multiflex. >> Doing this now the demo is working again but...how people was able to >> change the theme? >> >> I tried to use party/visits and webtools/logs in order to discover the >> "hack" but no way. >> I would be interesting to know how to track the user activity that >> took to this. How to? >> >> -Bruno >> >> 2009/3/10 David E Jones <david.jo...@hotwaxmedia.com>: >>> >>> I did write some message and sent them to this list, one to propose these >>> changes and another to communicate that they were in place... :) >>> >>> Of course, now that people are seeing the downside to security, maybe >>> opinions won't be so in favor of it? ;) >>> >>> -David >>> >>> >>> On Mar 10, 2009, at 4:28 PM, Adrian Crum wrote: >>> >>>> I encountered that error too. >>>> >>>> -Adrian >>>> >>>> Bruno Busco wrote: >>>>> >>>>> Hi, >>>>> in the latest trunk (rev. 752277) I got this error whenever I try to >>>>> change the VisualTheme in the backoffice: >>>>> The Following Errors Occurred: >>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException: >>>>> Found URL parameter [userPrefTypeId] passed to secure (https) >>>>> request-map with uri [setUserPreference] with an event that calls >>>>> service [setUserPreference]; this is not allowed for security reasons! >>>>> -Bruno >>> >>> > >
