[ https://issues.apache.org/jira/browse/OFBIZ-6207?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14379214#comment-14379214 ]
Forrest Rae commented on OFBIZ-6207: ------------------------------------ Figured it out: <entity-one entity-name="Quote" value-field="quote1"> <field-map field-name="quoteId" from-field="parameters.quoteId"/> </entity-one> <set field="quote" value="${groovy: if(quote1.partyId == userLogin.partyId) quote = quote1;}"/> > Anyone can view any Request or Quote > ------------------------------------ > > Key: OFBIZ-6207 > URL: https://issues.apache.org/jira/browse/OFBIZ-6207 > Project: OFBiz > Issue Type: Bug > Components: specialpurpose/ecommerce > Affects Versions: Trunk, 13.07.01 > Reporter: Forrest Rae > Priority: Critical > Labels: security > Attachments: OFBIZ-6207-second-attempt.patch, OFBIZ-6207.patch > > > This is a security bug in the ecommerce application. Anyone can view any > quote or request in the system regardless of the associated partyId. They > can do this via URL parameter manipulation. > Reproduction: > 1) Login to the ecommerce application as DemoCustomer. > 2) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9000 > to view your own request. > 3) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9001 > to view DemoCustAgent's request. > 4) Navigate to > http://demo-stable-ofbiz.apache.org/ecommerce/control/ViewRequest?custRequestId=9002 > to view DemoCustomer2's request. > Same goes for Quotes, although there are no quotes in the Demo data. The > attach patch fixes this issue. > Would like this issue back ported to release 13.07 please. -- This message was sent by Atlassian JIRA (v6.3.4#6332)