Bravo!
Jacques
From: "David E Jones" <david.jo...@hotwaxmedia.com>
Yes, thank you. I've actually answered this a half-dozen times, plus
the messages in the discussions about security and the proposed
change, and then descriptions of the actual change, and then
descriptions of backing out the strict enforcement because it was an
issue in so many places, and then discussion of the changes to help
with this in the various widgets, and then putting the strict
enforcement back in, and then work with a contributor in a Jira issue
with a couple of revisions to a patch to fix links on the order detail
page in the order manger, and then more examples of the manual changes
needed in FTL files, and then answers to a few questions about it on
the mailing lists...
If I had known it would be this much trouble... :(
-David
On Mar 26, 2009, at 1:58 PM, Adrian Crum wrote:
In fact, David answered this question when it was brought up the
last time.
-Adrian
David E Jones wrote:
On Mar 26, 2009, at 12:58 PM, Bruno Busco wrote:
Hi,
when trying to select a different theme in the backoffice I get
this.
The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException:
Found URL parameter [userPrefTypeId] passed to secure (https)
request-map with uri [setUserPreference] with an event that calls
service [setUserPreference]; this is not allowed for security
reasons!
The data should be encrypted by making it part of the request body
instead of the request URL.
I know it is related to the recent secure url parameters passing
change but I do not know the new system enough to fix it.
The fix is easy, as has been discussed a bit, just change the link
into a hidden form that is submitted with a link.
For some examples of this done in FTL files checkout my recent
commits in the orderpaymentinfo.ftl file, like SVN rev 758512.
-David
