ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11329) setUserTimeZone should ran only once based on error
Date Sun, 02 Feb 2020 12:06:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17028417#comment-17028417
] 

Jacques Le Roux commented on OFBIZ-11329:
-----------------------------------------

Hi James,

Thanks for your review!

bq. But as SetTimeZoneFromBrowser can change the data in the database, I think it should not
be exempted from CSRF token check.
Agreed, we should keep this in mind. Unfortuately I see no better solution than harcoding
for now. ALso if ever somebody changes SetTimeZoneFromBrowser name the issue will appear in
log again. So not much to fear IMO.

bq. Note that the existing implementation of SetTimeZoneFromBrowser doesn't check whether
the submitted timezone is valid or different from the UserLogin's lastTimeZone. Not sure if
this should be in another JIRA issue.
The feature depends on the browser used, so if the user changes of timezone there is a reason
(travelling, etc.) and I see no reason to compare with previous one. I don't see how it could
not be valid, the browser can't lie.

OFBIZ-11306
bq. there should be no need to check for throwRequestHandlerExceptionOnMissingLocalRequest.
The property is for missing request map but we are handling missing or invalid CSRF token.
Then why not simply throw a RequestHandlerException?

bq. Found that additional info which should be returned from ajax request of SetTimeZoneFromBrowser,
due to the jsonResponseFromRequestAttribute service and my implementation o
Could you please give more details?

> setUserTimeZone should ran only once based on error
> ---------------------------------------------------
>
>                 Key: OFBIZ-11329
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11329
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework, webpos
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: James Yong
>            Priority: Minor
>         Attachments: OFBIZ-11329-plugins.patch, OFBIZ-11329.patch, OFBIZ-11329.patch
>
>
> This will be useful when committing CSRF solution as explained in OFBIZ-11306



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message