On Apr 19, 2012, at 5:50 PM, Adam Heath wrote: > On 04/19/2012 04:41 PM, Jacques Le Roux wrote: >> Committed at revision: 1328122 >> Jacques > > This change would be needed for anything dealing with PAN(credit-card > number for those not into the lingo).
Somewhat related - but only in regards to the logging of credit card numbers… I came across this last year, and thought it could be useful for OFBiz someday: http://corner.squareup.com/2011/11/luhny-bin.html What the blog post describes is a log filter that checks for a string of digits that represents a valid credit card number. If one is detected, it will be masked when it is logged, and reported via an email alert. What follows is a mini-contest to determine an efficient way to do this in a variety of languages, complete with a simple test case and various solutions. >> From: "Jacques Le Roux" <jacques.le.r...@les7arts.com> >>> Nope, I'd not have raised a warning else ;o) >>> The user must read it at the end, it's the body part of the email in >>> the service result >>> Jacques >>> >>> From: "Adrian Crum" <adrian.c...@sandglass-software.com> >>>> Is the logged password encrypted? If yes, then I don't see a >>>> problem with it. >>>> >>>> -Adrian >>>> >>>> On 4/7/2012 10:39 AM, Jacques Le Roux wrote: >>>>> Hi, >>>>> >>>>> I followed Scott's suggestion and added a generic EMAIL_PASSWORD >>>>> EmailTemplateSetting (used to send a new password at user request). >>>>> I finally kept also the previous way (in r1307895) because it >>>>> allows an easier 18n of the email subject. >>>>> >>>>> Something is worrying me a bit. Since the service takes more than >>>>> 50/200 ms, ServiceDispatcher.java (just above line 600) shows the >>>>> password in console and logs. To prevent this by and large, I'd >>>>> like to add a hideResult attribute to service defintion. It would be >>>>> false by default and used in ServiceDispatcher.runAsync() >>>>> >>>>> An alternative would be to use runSyncIgnore to call >>>>> sendMailFromScreen service in LoginEvents.java. But I think it's a >>>>> more general >>>>> issue... >>>>> >>>>> What do you think? >>>>> >>>>> Jacques >>>>> >>>>> From: "Jacques Le Roux" <jacques.le.r...@les7arts.com> >>>>>> Thanks Scott, >>>>>> >>>>>> This sounds like a plan. I will try to apply it... >>>>>> >>>>>> Jacques >>>>>> >>>>>> From: "Scott Gray" <scott.g...@hotwaxmedia.com> >>>>>>> Hi Jacques, >>>>>>> >>>>>>> I think the better approach would have been to fall back to the >>>>>>> EmailTemplateSetting (after adding a demo record for it) and >>>>>>> failing if it isn't present (along with removing that default >>>>>>> screen reference altogether). The reason for this is simplicity, >>>>>>> we give the user one path through the system: >>>>>>> - Define a forgot password template for the entire system in >>>>>>> EmailTemplateSetting >>>>>>> - If you want ones for specific product stores then define them >>>>>>> in ProductStoreEmailSetting >>>>>>> >>>>>>> Regards >>>>>>> Scott >>>>>>> >>>>>>> On 3/04/2012, at 10:13 PM, Jacques Le Roux wrote: >>>>>>> >>>>>>>> Do you agree with r1307895 and to backport it to releases? >>>>>>>> http://svn.apache.org/viewvc?rev=1307895&view=rev >>>>>>>> >>>>>>>> Jacques >>>>>>> >>>>>>> >