[jira] [Closed] (OFBIZ-7319) Remove product feature in Quick Admin page not secure

[Jacques Le Roux (JIRA)]

     [ 
https://issues.apache.org/jira/browse/OFBIZ-7319?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux closed OFBIZ-7319.
----------------------------------
       Resolution: Fixed
    Fix Version/s: 13.07.04
                   15.12.01
                   14.12.01

Thanks Forian for report, Ravi for your patch,

Ravi your patch is in
trunk r1748182
R15.12, R14.12 and R13.07 at r1748184


> Remove product feature in Quick Admin page not secure
> -----------------------------------------------------
>
>                 Key: OFBIZ-7319
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7319
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: product
>    Affects Versions: Trunk
>            Reporter: Montalbano Florian
>            Assignee: Jacques Le Roux
>            Priority: Minor
>              Labels: feature, parameters, remove, secure
>             Fix For: 14.12.01, 15.12.01, 13.07.04
>
>         Attachments: OFBIZ-7319.patch
>
>
> When trying to remove a product feature from the quick admin page of a 
> product, you get the following error :
> {code}
> The Following Errors Occurred:
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL 
> parameter [productId] passed to secure (https) request-map with uri 
> [quickAdminRemoveFeatureFromProduct] with an event that calls service 
> [removeFeatureFromProduct]; this is not allowed for security reasons! The 
> data should be encrypted by making it part of the request body (a form field) 
> instead of the request URL. Moreover it would be kind if you could create a 
> Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check 
> before if a sub-task for this error does not exist). If you are not sure how 
> to create a Jira issue please have a look before at 
> http://cwiki.apache.org/confluence/x/JIB2 Thank you in advance for your help.
> {code}
> As the error aks for, I'm creating this Jira.
> I checked in the created sub-task and this one was not registered (but there 
> was one for removing feature in Product Category).
> Step to reproduce the error :
> - Go to the catalog and search for any product 
> (https://localhost:8443/catalog/control/FindProduct)
> - Go to the "Quick Admin" tab 
> (https://localhost:8443/catalog/control/EditProductQuickAdmin?productId=WG-9943-B3)
> - Add a standard feature type (Color for example)
> - Select an option from the drop-down of the feature type (Black for example) 
> and add the feature.
> - Try to delete it by clicking on the button with a cross.
> - The error shows up



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)