Re: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability

2023-04-11 Thread Jacques Le Roux 

Hi Douglas,

Your message has been moderated, else it would not have reached this Mailing 
List.

Please subscribe to the user ML for such questions and then use your email 
client.
See why here http://ofbiz.apache.org/mailing-lists.html.

You will get a better support, people can answer you on the ML.
The wider the audience the better the answers you might get.

Also it's more work for moderators who have to accept your messages as long as 
you have not subscribed.
I'll personally no longer accept them (other moderators still could).

Thanks

This said, only the Solr plugin is concerned, no need to update the rest

HTH

Jacques

Le 11/04/2023 à 07:49, Douglas Melo a écrit :

Hello Jacques!!

I have a question, is it necessary to update the entire project or just the 
Solr plugin?

On 2023/04/10 09:21:12 Jacques Le Roux wrote:
> Severity: important
>
> Description:
>
> Arbitrary file reading vulnerability in Apache Software Foundation Apache 
OFBiz.This issue affects Apache OFBiz: before 18.12.07.
>
> Required Configurations:
>
> Using the Solr plugin
>
> Solution:
>
> Upgrade to release 18.12.07
>
> Credit:
>
> Skay (finder)
>
> References:
>
> https://lists.apache.org/list.html?annou...@apache.org
> https://ofbiz.apache.org/download.html
> https://ofbiz.apache.org/security.html
> https://ofbiz.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2022-47501
>
>

Re: how to add multiple .ftl files in screen.xml based on user permissions using if else conditions

2023-04-11 Thread Gil Portenseigne 

One way of doing that is to have a structure like


    
 
    
    
    One
    
    
   
    
                  permission="XERUS_ASSETMAINTENANCE"

action="_VIEW"/>
    
    
   two
    
    
                        default
    
    
    


That is not elegant.


Another way I prefer is to have a script that define the screen to 
render like :



    
    
   

Re: how to add multiple .ftl files in screen.xml based on user permissions using if else conditions

2023-04-11 Thread Mahi maheshwari 
Thanks for the response Gil, But I was asking for applying multiple
conditions as mentioned below








   




   
 
   
 
   
 
  
  
 
   
 

   
  
   
 
   
  
 

   

 
  
   
 


   
  
   
  

  
   
  
 
  
   
  

  


  ${uiLabelMap.XerusViewPermissionError}
  You are not allowed to view this page.





 



but this is not working as I expected, please guide me if anywhere I'm
going wrong.

Best Regards,
Maheshwari.

On Tue, Apr 11, 2023 at 12:52 PM Gil Portenseigne <
gil.portensei...@nereide.fr> wrote:

> Hello Mahi,
>
> You can find multiple examples in the code base looking for :
> ``
>
> One of :
>
> 
>  
>   service-name="workEffortGenericPermission" main-action="VIEW"/>
>  
>  
>  
> location="component://workeffort/template/task/MyTasks.ftl"/>
>  
>  
>   style="h3">${uiLabelMap.WorkEffortViewPermissionError}
>  
> 
>
> If condition is true, widgets will display, else that will be fail-widgets
>
> Regards
>
> Gil
>
> Le 11/04/2023 à 09:08, Mahi maheshwari a écrit :
> > Hello Community,
> >
> > I want to add .ftl files in screens.xml for multiple users based on a few
> > conditions if there are multiple users named production user and quality
> > user and other users, so for this users if I want to give permission for
> > viewing any .ftl files, how can I do it.
> >
> > *for instance*, if production_user has permission to view only the
> > production module then render production.ftl ,  if quality_user has
> > permission to view only the quality module then render quality.ftl and if
> > assets_user has permission to view the assets module then render
> > assetmaint.ftl.
> > I want to give conditions like if else in one  tag in screens.xml
> >
> > *example: *
> > in widgets/screens.xml
> > 
> > if(User has Production_View permission)
> > then
> >  >
> location="component://xerus/webapp/xerus/crud/ProductionView.ftl"/>
> > else if(User has AssetMaintaince_View permission)
> > then
> >  > location="component://xerus/webapp/xerus/crud/ListOfAssets.ftl"/>
> > else if(User has Quality_View permission)
> > then
> >   >
> location="component://xerus/webapp/xerus/crud/QualityMainPage.ftl"/>
> > else
> >  > location="component://xerus/webapp/xerus/crud/NoPermission.ftl"/>
> > END of if
> > 
> >
> > please let me know how can I achieve this.
> >
> >
> > Best Regards,
> > Maheshwari.
> >
>

Re: how to add multiple .ftl files in screen.xml based on user permissions using if else conditions

2023-04-11 Thread Gil Portenseigne 

Hello Mahi,

You can find multiple examples in the code base looking for : 
``


One of :


    
    service-name="workEffortGenericPermission" main-action="VIEW"/>

    
    
    location="component://workeffort/template/task/MyTasks.ftl"/>

    
    
    style="h3">${uiLabelMap.WorkEffortViewPermissionError}

    


If condition is true, widgets will display, else that will be fail-widgets

Regards

Gil

Le 11/04/2023 à 09:08, Mahi maheshwari a écrit :

Hello Community,

I want to add .ftl files in screens.xml for multiple users based on a few
conditions if there are multiple users named production user and quality
user and other users, so for this users if I want to give permission for
viewing any .ftl files, how can I do it.

*for instance*, if production_user has permission to view only the
production module then render production.ftl ,  if quality_user has
permission to view only the quality module then render quality.ftl and if
assets_user has permission to view the assets module then render
assetmaint.ftl.
I want to give conditions like if else in one  tag in screens.xml

*example: *
in widgets/screens.xml

if(User has Production_View permission)
then

else if(User has AssetMaintaince_View permission)
then

else if(User has Quality_View permission)
then
 
else

END of if


please let me know how can I achieve this.


Best Regards,
Maheshwari.

RE: CVE-2022-47501: Apache OFBiz: Arbitrary file reading vulnerability

2023-04-11 Thread Douglas Melo 

Hello Jacques!!

I have a question, is it necessary to update the entire project or just 
the Solr plugin?


On 2023/04/10 09:21:12 Jacques Le Roux wrote:
> Severity: important
>
> Description:
>
> Arbitrary file reading vulnerability in Apache Software Foundation 
Apache OFBiz.This issue affects Apache OFBiz: before 18.12.07.

>
> Required Configurations:
>
> Using the Solr plugin
>
> Solution:
>
> Upgrade to release 18.12.07
>
> Credit:
>
> Skay (finder)
>
> References:
>
> https://lists.apache.org/list.html?annou...@apache.org
> https://ofbiz.apache.org/download.html
> https://ofbiz.apache.org/security.html
> https://ofbiz.apache.org/
> https://www.cve.org/CVERecord?id=CVE-2022-47501
>
>

how to add multiple .ftl files in screen.xml based on user permissions using if else conditions

2023-04-11 Thread Mahi maheshwari 
Hello Community,

I want to add .ftl files in screens.xml for multiple users based on a few
conditions if there are multiple users named production user and quality
user and other users, so for this users if I want to give permission for
viewing any .ftl files, how can I do it.

*for instance*, if production_user has permission to view only the
production module then render production.ftl ,  if quality_user has
permission to view only the quality module then render quality.ftl and if
assets_user has permission to view the assets module then render
assetmaint.ftl.
I want to give conditions like if else in one  tag in screens.xml

*example: *
in widgets/screens.xml

if(User has Production_View permission)
then

else if(User has AssetMaintaince_View permission)
then

else if(User has Quality_View permission)
then

else

END of if


please let me know how can I achieve this.


Best Regards,
Maheshwari.