[jira] [Commented] (OFBIZ-11329) setUserTimeZone should ran only once based on error

Sun, 02 Feb 2020 04:06:29 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028417#comment-17028417
 ] 

Jacques Le Roux commented on OFBIZ-11329:
-----------------------------------------

Hi James,

Thanks for your review!

bq. But as SetTimeZoneFromBrowser can change the data in the database, I think 
it should not be exempted from CSRF token check.
Agreed, we should keep this in mind. Unfortuately I see no better solution than 
harcoding for now. ALso if ever somebody changes SetTimeZoneFromBrowser name 
the issue will appear in log again. So not much to fear IMO.

bq. Note that the existing implementation of SetTimeZoneFromBrowser doesn't 
check whether the submitted timezone is valid or different from the UserLogin's 
lastTimeZone. Not sure if this should be in another JIRA issue.
The feature depends on the browser used, so if the user changes of timezone 
there is a reason (travelling, etc.) and I see no reason to compare with 
previous one. I don't see how it could not be valid, the browser can't lie.

OFBIZ-11306
bq. there should be no need to check for 
throwRequestHandlerExceptionOnMissingLocalRequest. The property is for missing 
request map but we are handling missing or invalid CSRF token.
Then why not simply throw a RequestHandlerException?

bq. Found that additional info which should be returned from ajax request of 
SetTimeZoneFromBrowser, due to the jsonResponseFromRequestAttribute service and 
my implementation o
Could you please give more details?

> setUserTimeZone should ran only once based on error
> ---------------------------------------------------
>
>                 Key: OFBIZ-11329
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11329
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework, webpos
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: James Yong
>            Priority: Minor
>         Attachments: OFBIZ-11329-plugins.patch, OFBIZ-11329.patch, 
> OFBIZ-11329.patch
>
>
> This will be useful when committing CSRF solution as explained in OFBIZ-11306



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to