[
https://issues.apache.org/jira/browse/OFBIZ-3982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918970#action_12918970
]
Jacques Le Roux commented on OFBIZ-3982:
----------------------------------------
I understand that you created this issue because it was asked by the message.
But please understand that this is only true for OOTB code, not custom code...
BTW it's ok if the service is only reading (the R in CRUD). You can even bypass
the security by setting service.http.parameters.require.encrypted to N in
url.properties. But as this will be for your all application it 's not
recommende though! I'm sure you got it now...
> Exception in CRUD operations using minilang
> -------------------------------------------
>
> Key: OFBIZ-3982
> URL: https://issues.apache.org/jira/browse/OFBIZ-3982
> Project: OFBiz
> Issue Type: Bug
> Components: ALL COMPONENTS
> Affects Versions: Release 09.04
> Environment: LINUX
> Reporter: Shereen Ashraf
> Assignee: Jacques Le Roux
>
> I'm trying to use the minilang to delete a record in an entity. I faced the
> following exception
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL
> parameter [reviewId] passed to secure (https) request-map with uri
> [RemovePlanetReview] with an event that calls service
> [learningRemovePlanetReview]; this is not allowed for security reasons! The
> data should be encrypted by making it part of the request body (a form field)
> instead of the request URL. Moreover it would be kind if you could create a
> Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check
> before if a sub-task for this error does not exist). If you are not sure how
> to create a Jira issue please have a look before at http://docs.ofbiz.org/x/r.
> Does anyone know what's this? I've done this experiment in release10.04
> this is how I wrote the delete button in the form
> <field name="delete">
> <hyperlink target="RemovePlanetReview?reviewId=${reviewId}"
> description="Delete"/></field>
> this is the service
> <simple-method method-name="removePlantetReview" short-description="Delete a
> Planet Review">
> <entity-one entity-name="PlanetReview" value-name="lookedUpValue"/>
> <remove-value value-name="lookedUpValue"/>
> </simple-method>
> this is the request
> <request-map uri="RemovePlanetReview">
> <security auth="true" https="true"/>
> <event type="service" invoke="learningRemovePlanetReview"/>
> <response name="success" type="view" value="ListPlanetReviews"/>
> <response name="error" type="view" value="ListPlanetReviews"/>
> </request-map>
> would anyone please tell what's going on?
> Am I going to face the same trouble in 10.04 ?
> Thanks in advance to anyone who can help
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
