Release16.11 script language problem #30

=== Fixed: French typo fix (OFBIZ-10244) Thanks Pierre Gaudin for your contribution git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1825446 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Error in service definition for deleteOrderHeaderWorkEffort (OFBIZ-10243) Thanks Pierre Gaudin for your contribution git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1825452 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Pass JVM options to OFBiz when using Gradle. (OFBIZ-10253) This enables passing JVM options like memory, garbage collection or JMX configurations to the OFBiz VM. Falls back to the previously hard coded default if not set. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1826378 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: UtilCodec URL decoding breaks values with german umlauts. (OFBIZ-10275) Thanks Martin Becker for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1826595 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Wrong locale/fallbackLocale logic in CategoryContentWrapper leads to unavailable alternate locale content. (OFBIZ-10274) Thanks Martin Becker for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1826672 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1826797 | jleroux | Thu Mar 15 11:29:59 2018 | 5 lines Fixed: The getJSONuiLabel javascript function is no longer working (OFBIZ-10277) The data were well retrieve, but the syntax used to extract them was not working ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1826798 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Removing Birt dependencies in ReportScreens.xml. (OFBIZ-10283) Thanks Dennis Balkir for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1826807 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1826938 | jleroux | 2018-03-16 10:35:06 +0100 (ven., 16 mars 2018) | 12 lines Fixed: Logout do not remove autoLogin (OFBIZ-4959) I used the only available (and I must say confusing) WebappInfo.getName() when I needed the webAppName not the WebappInfoName. So this put in a new WebappInfo.getMountPoint() and use it in getWebappInfo Also use LoginWorker.autoLoginSet() in different places where I missed it. In other words all autoUserLogin coockies are deleted on login and logout, and an autoUserLogin cookie is created when going locally from a webapp to another, with checkExternalLoginKey ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1826943 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1826997 | jleroux | 2018-03-16 16:39:18 +0100 (ven., 16 mars 2018) | 7 lines Fixed: The server hour normally shown in the jobs list is no longer showing (OFBIZ-10278) With FTL formatting in OFBIZ-7636, the commented single line got broken into 3 lines making it an invalid js code. Thanks: Aditya ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1827002 13f79535-47bb-0310-9956-ffa450edef68

…items. It should only set orderDate as nowTimeStamp only if createAsNewOrder flag is true other wise it should set orderDate from existing orderHeader. Also, removed setting of redundant orderName on cart. Applied fix from trunk revision 1827827. (OFBIZ-10301) Thanks Suraj Khurana for your contribution git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1827960 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1828255 | jleroux | 2018-04-03 18:37:09 +0200 (mar., 03 avr. 2018) | 7 lines Fixed: Required parameters are optional for createWorkRequirementFulfillment service (OFBIZ-8622) As per entity def, required parameter should be requirementId instead of requirementTypeId. Thanks: Suraj for the last patch ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1828307 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Update Currency UOM data as per iso amendment 164, 165 and 166 (OFBIZ-10364) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1829693 13f79535-47bb-0310-9956-ffa450edef68

… in the order defined (OFBIZ-10369) The events contained in the controller configuration for first-visit, pre-post processor and before-after login are executed in arbitrary order rather than the defined order. If we define an event configuration as follow: <after-login> <event name=keepCartUpdated type=java path=org.apache.ofbiz.order.shoppingcart.ShoppingCartEvents invoke=keepCartUpdated/> <event name=restoreAutoSaveList type=java path=org.apache.ofbiz.order.shoppinglist.ShoppingListEvents invoke=restoreAutoSaveList/> <event name=saveCartToAutoSaveList type=java path=org.apache.ofbiz.order.shoppinglist.ShoppingListEvents invoke=saveCartToAutoSaveList/> </after-login> We wait that OFBIz run keepCartUpdated, restoreAutoSaveList and after saveCartToAutoSaveList event but the HashMap who organise them return arbitrary order and can return saveCartToAutoSaveList, keepCartUpdated and restoreAutoSaveList. Convert the HashMap to LinkedHashMap help to keep the loaded order. Thanks to Vikas Mayur for solve this issue git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1830304 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10392) Thanks Schumann Ye for your contribution, This has been already fixed in 17.12 at r#1792020 by zhangwei git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1830854 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Fix typo 'paramters' => 'parameters' (OFBIZ-10394) Thanks Mathieu Lirzin for your contribution git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1830939 13f79535-47bb-0310-9956-ffa450edef68

…creating a new one. Now service will first expires all the billing location against party and create new one. Applied fix from trunk revision 1831183. (OFBIZ-10374) Thank you Suraj Khuran for reporting the issue and providing patch for the same. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1831186 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1831234 | jleroux | 2018-05-09 10:26:44 +0200 (mer. 09 mai 2018) | 4 lignes Fixed: Sending mail button from viewProfile doesn't work (OFBIZ-7075) There was a quote error in the Montalbano Florian's patch, this fix it ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1831235 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10004) Thanks Mohammad Kathawala for reporting the issue. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1831455 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Wrong permission action leads to error (OFBIZ-10405) Thanks Suraj Khurana for your contribution git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1831610 13f79535-47bb-0310-9956-ffa450edef68

…using FATAL log4j level (OFBIZ-6206) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1831790 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1831831 | jleroux | 2018-05-18 10:11:55 +0200 (ven. 18 mai 2018) | 11 lignes Fixed:: Dynamic values not rendering properly in property tag of fail-property attribute (OFBIZ-10406) While calling checkProductRelatedPermission, if permission is failed ten fail-property tag uses ${checkActionLabel} which is not handled properly in MessageElement.java. There are 2-3 other occurrences as well of such type but not in working condition. Thanks: Suraj ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1831833 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Updated msyql sql-type for datetime field-type to support Fractional Seconds in Time Values (OFBIZ-9337) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1832367 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1832577 | zhangwei | 2018-05-31 03:20:54 +0200 (jeu. 31 mai 2018) | 1 ligne Fixed: Incorrect data type conversion of variable serviceEndTime in CoreEvents.java (OFBIZ-10419) A minor fix for serviceEndTime conversion ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1832660 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1832662 | jleroux | 2018-06-01 09:37:27 +0200 (ven. 01 juin 2018) | 12 lignes Fixed: Session fixation issue (OFBIZ-10420) Fixes a session fixation security issue discovered by a client with the security audit tool "IBM Security AppScan Enterprise , Version : 9.0.3.7" Prevents the session fixation by making Tomcat generate a new jsessionId (ultimately put in cookie). Only do when really signing in to avoid unnecessary calls Though if the client has disabled the use of cookies, then a session will be new on each request, not a good choice on client side! ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1832664 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1832756 | jleroux | 2018-06-03 10:33:09 +0200 (dim. 03 juin 2018) | 21 lignes Fixed: Session fixation issue (OFBIZ-10420) Prevents the session fixation by making Tomcat generate a new jsessionId (ultimately put in cookie). Only do when really signing in to avoid unnecessary calls This improves the way it's done by using request.changeSessionId() instead of creating a brand new session. So there is no possible side effects on client and no need to set initial request info (using setInitialRequestInfo) Thanks: Taher for asking about it ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1832758 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1832944 | jleroux | 2018-06-05 15:56:29 +0200 (mar. 05 juin 2018) | 17 lignes Fixed: The first visit event are not executed in case of CMS (OFBIZ-10389) Execution of the first visit events depends on the trackVisit function In RequestHandler.java file if (this.trackVisit(request) && session.getAttribute("_FIRST_VISIT_EVENTS_") == null) { // execute first visit event } trackVisit function does not honor the default controller request (in this case, cms) So, we should improve the code of trackVisit to honor default controller request. Thanks: Swapnil M Mane ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1832946 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1833211 | jleroux | 2018-06-08 22:37:32 +0200 (ven. 08 juin 2018) | 8 lignes Fixed: streaming large content cause out of memory exception. (OFBIZ-10133) With r1821036 DataResourceWorker.getDataResourceStream() may return an InputStream (if the data resource is a file) instead of a ByteArrayInputStream which was expected in few places. This fixes it ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1833213 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1833710 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10436) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1833724 13f79535-47bb-0310-9956-ffa450edef68

=== FIXED:Incorrect succes mesage after creating customer. (OFBIZ-9898) Thanks Anushi Gupta for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1834183 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Values are not aligned with column over EditShoppingList Screen, applied patch from jira issue. (OFBIZ-10210) Thanks, Yogesh Naroliya for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1834194 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Framework webapp freemarkerTransform.properties has dependency on proudct component (OFBIZ-10463) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1835245 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10458) A new Junit test is implemented to validate that no duplicates are present. Groovy service has been refactored to use a more functional style Thanks Mathieu Lirzin for reporting and providing the patch git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1835284 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1836143 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: compressableMimeType is not a valid attribute of apache http connector (OFBIZ-10487) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1836146 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10486) The CSS rule defined in ecommain.css for 'a' overrides the rule for A.blogtitle, due to which the color of 'a' and its background became similar, thus making it invisible. To avoid such overriding, added 'important' attribute to css rule of A.blogtitle. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1836876 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10506) Thanks Dennis for your patch git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1837586 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1837708 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-7719) Thanks Vishal for your patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1837843 13f79535-47bb-0310-9956-ffa450edef68

…ress checkbox in WebPos. (OFBIZ-7709) Thanks Vishal for your patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1837844 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1838032 | jleroux | 2018-08-14 18:44:17 +0200 (mar. 14 août 2018) | 4 lignes Fixed: You can't create a New Payment Group (OFBIZ-10523) There is a duplicated paymentGroupTypeId, it should a string not a list. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1838034 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Could not find simple-method createWorkEffortSkillStandard as it was called as simple method and it is converted to entity-auto service. (OFBIZ-10524) Thanks Fernando Ortega for reporting the issue. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1838251 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10530) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1838799 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Java object rendering on billing section of one page anonymous checkout process. (OFBIZ-10425) Thanks Jason Hao for reporting and Priya Sharma for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1838819 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10545) Moved the SurveyOptions.ftl file from groovyScripts to the template. Thanks: David S Hunter for contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1839730 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1839731 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1840189 | jleroux | 2018-09-06 09:50:54 +0200 (jeu. 06 sept. 2018) | 9 lignes Improved: Display From address in send confirmation email form (OFBIZ-10493) Open any sales order and press "Send a confirmation email" button. Note that header From is read-only and empty. No problem with read-only mode as the address has been taken from ProductStoreEmailSetting but I think it would be better to display this address. Thanks: Oleg Andreyev ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1840191 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1840199 | jleroux | 2018-09-06 11:53:23 +0200 (jeu. 06 sept. 2018) | 7 lignes Fixed: Action (find) button not visible in LabelManager search screen (OFBIZ-10549) When a user executes a search/find action in the Label Manager, and there are duplicated labels the 'Find' button is not visible anymore. Thanks: Pierre Smits ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1840201 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Upgraded Freemarker to the latest stable version (from 2.3.27-incubating to 2.3.28). git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1840896 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Webpos Keyboard Shortcut keys does not work correctly (OFBIZ-7945) Updated wrong function calls in switch case of activateHotKeys(). As support for Pin Payment transactions is still to be added under OFBIZ-5241. Commented code for Pin payment transaction and updated other shortcuts accordingly. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1841655 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Search operation on 'AssocRevisionItemView' entity causing exception. (OFBIZ-8842) Thanks Humera Khan for reporting the issue and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1841659 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-9761) Thanks Amit Gadaley for providing a patch for 16.11 git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1841664 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Broken page renders while click on Submit button (OFBIZ-7535) Submit button on ListEmploymentApps form has no check to hide when no record in List due to which button always appears and shows broken screen when submitting empty list. Added screenlet around the form to fix distorted UI. Thanks Ankush Upadhyay for reporting the issue git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1841665 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1842372 | jleroux | 2018-09-30 15:49:30 +0200 (dim. 30 sept. 2018) | 11 lignes Fixed: Service Log screen is broken (OFBIZ-10342) Steps to regenerate Navigate to Logging menu under webtools https://demo-trunk.ofbiz.apache.org/webtools/control/LogView Select Service Log menu, see NPE error Thanks: Swapnil M Mane for report and Swapnil and Rishi Solanki for reviews ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1842374 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1842921 | jleroux | 2018-10-05 16:22:15 +0200 (ven. 05 oct. 2018) | 11 lignes Fixed: The query iCalendar/CALENDAR_PUB_DEMO/ no longer work (OFBIZ-10595) ControlFilter does not allow the untypical iCalendar/CALENDAR_PUB_DEMO/ query to pass. I have not checked deep, but since R13 works I believe it's due to OFBIZ-6760 where ControlFilter was added. Then CALENDAR_PUB_DEMO/ is considered a [Filtered request] and the whole iCalendar process in Thunderbird Calendar is broken Thanks: Jyri Sillanpaa for the detailled report ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1842924 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1843225 | jleroux | 2018-10-09 10:16:01 +0200 (mar. 09 oct. 2018) | 6 lignes Documented: Wrong handling of response type "cross-redirect" (OFBIZ-10569) The documentation was wrong, this fixes it Thanks: Dennis Balkir for the report and discussion ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1843227 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1843893 | jleroux | 2018-10-15 12:06:04 +0200 (lun. 15 oct. 2018) | 4 lignes Fixed: Creating Javadoc on Windows fails (OFBIZ-10605) This is due to the lack of UTF-8 encoding ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1843895 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-9743) Additional change: Added success message to createContent and removeContent service too. Thanks Rohit Rai for reporting the issue. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1844953 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10314) Thanks Archana Asthana for reporting and Shikha Jaiswal for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1844965 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10314) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1844968 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1845420 | jleroux | 2018-11-01 10:39:17 +0100 (jeu. 01 nov. 2018) | 20 lignes Fixed: Missing Security and Cache Headers in CMS Events Fixed: (OFBIZ-10597) While rendering the view through the controller request we set the important security headers like x-frame-options, strict-transport-security, x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the response object. (Please see the 'rendervView' method of RequestHandler class.) In the similar line, we set the cache related headers like Expires, Last-Modified, Cache-Control, Pragma. But these security headers are missing in the pages rendered through CMS. (Please visit the CmsEvents class). These headers are very crucial for the security of the application as they help to prevent various security threats like cross-site scripting, cross-site request forgery, clickjacking etc. Thanks: Deepak Nigam for initial patch and review ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1845422 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1845466 | jleroux | 2018-11-01 13:55:26 +0100 (jeu. 01 nov. 2018) | 3 lignes Improved: no functional change, just some formatting Thanks: Taher for review ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1845468 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1845544 | jleroux | 2018-11-02 08:59:16 +0100 (ven. 02 nov. 2018) | 5 lignes Fixed: ComponentConfig::getAppBarWebInfos creates infos only for components without <<app-bar-display="false">> (OFBIZ-10637) It makes no sense since if the menuName var is empty the infos are returned. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1845546 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1845552 | jleroux | 2018-11-02 09:48:31 +0100 (ven. 02 nov. 2018) | 9 lignes Fixed: ComponentConfig::getAppBarWebInfos creates infos only for components without <<app-bar-display="false">> (OFBIZ-10637) LoginWorked::getAppBarWebInfos is used to define the apps menus in themes so we need to also check that no menuName is passed to ComponentConfig::getAppBarWebInfos. Else all menus appears in the secondary menu bars ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1845554 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1846214 | jleroux | 2018-11-09 09:11:46 +0100 (ven. 09 nov. 2018) | 20 lignes Fixed: Content - Able to add empty Forum Group (OFBIZ-10615) Steps to Regenerate issue: # Login to demo-trunk or demo-stable instance with details: URL - [https://demo-trunk.ofbiz.apache.org/content/control/findForumGroups] admin/ ofbiz OR URl - [https://demo-stable.ofbiz.apache.org/content/control/createForumGroup] admin/ ofbiz # Go to Content > Forum and try to create new forum group. # do not enter Forum Group Name and Description. # Click on the Submit button. Actual - System allowed the user to enter an empty forum group. This issue is occurring at demo-trunk and demo-stable instance. Expected - Empty Forum group should not be added. If the user tries to do this s/he should not be allowed and proper validation error message should display. Thanks: Sanjay Yadav ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1846216 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1846594 | jleroux | 2018-11-14 18:31:27 +0100 (mer. 14 nov. 2018) | 17 lignes Fixed: Manufacturing BOM search returning duplicate entries in search results (OFBIZ-10648) Bill of Materials search returning duplicate entries in search results. Test Steps: 1. Login to Manufacturing application. 2. Navigate to Bill of Materials tab. 3. Observe the issue in Search results. Expected Result: Unique products should be displayed on Bill of Materials search results. Actual Result: Bill of Materials search returning duplicate entries in search results. The distinct constraint is missing in FindProductBom.groovy find query. Thanks: Aditya Barve ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1846596 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Missing Security and Cache Headers in CMS Events (OFBIZ-10597) Instead of having multiple null checks for viewMap separately for each security header we can have a single combined null check at the top in setResponseBrowserDefaultSecurityHeaders() method. With increasing security headers these may become expensive. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1846634 13f79535-47bb-0310-9956-ffa450edef68

… of INGOING_SHIPMENT. > > (OFBIZ-6958) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1847340 13f79535-47bb-0310-9956-ffa450edef68

> > (OFBIZ-9912) Thanks Priya Sharma for reporting and Amit Gadaley for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1847354 13f79535-47bb-0310-9956-ffa450edef68

> > (OFBIZ-10315) > > Thanks Shikha Jaiswal for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1847362 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1847398 | jleroux | 2018-11-25 09:40:23 +0100 (dim. 25 nov. 2018) | 15 lignes Fixed: Instructions for Configurable PC don't work (OFBIZ-10542) This concerns only R16, R17 and the trunk. The "Instructions" button was not present in R13. This kind of message shows: Trunk: <a href="javascript:showErrorAlert('The following errors occurred','');" R16: <a href="javascript:showErrorAlert(" the="" following="" errors="" occurred","") The same exists for all configurable products, notably Gold Pizza Thanks: Priya Sharma ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1847401 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1847402 | jleroux | 2018-11-25 10:16:28 +0100 (dim. 25 nov. 2018) | 9 lignes Fixed: Mime Type not supported Error while generating a Composite Pdf (OFBIZ-9840) When generating a Composite Pdf in the Content Manager an Error occurs : Mime Type not Supported Steps to recreate the Error Message: Content Manager->CompDoc->Tree->View Instances->Tree-> Generate Composite Pdf Thanks: Thanks Julian Leichert for report, Aman Mishra for the fix ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1847403 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1848263 | jleroux | 2018-12-06 08:24:13 +0100 (jeu. 06 déc. 2018) | 13 lignes Fixed: Error on createShoppingListItem when adding item to cart as anonymous (OFBIZ-5157) It can be reproduced by setting the product_store field autoSaveCart to 'Y' (In Store 9000 for the demo-data). Then the error occurs upon the first visit of the ecommerce-site, provided the user is not logged in. First Visit: no userLogin OFBiz wants to autosave list saving list requires userLogin (forsecuritycheck) result: error Thanks: Mirko Vogelsmeier for report, Benjamin Jugl for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1848267 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1848336 | jleroux | 2018-12-06 17:15:54 +0100 (jeu. 06 déc. 2018) | 7 lignes Fixed: ConcurrentModificationException in ShoppingCart.cleanUpShipGroups (OFBIZ-10696) There's a for-loop over shipInfo and a call to clear inside this loop which leads to a ConcurrentModificationException Thanks: Danny Trunk ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1848338 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1848398 | jleroux | 2018-12-07 14:14:48 +0100 (ven. 07 déc. 2018) | 17 lignes Fixed: User's name is displayed on ecommerce even after user logs out (OFBIZ-10666) Steps to regenerate: Open URL: https://demo-trunk.ofbiz.apache.org/ecommerce/control/main. Welcome is displayed and user's name is not displayed when URL is opened. Login at ecommerce, username will be displayed after user logs in. Logout of ecommerce by clicking on logout. User will be logged out and login link will be displayed in place of logout link, but the name of user is still displayed. Actual: Username is still displayed after user logs out Expected: Username should not be displayed after the user logs out Note: Similar issue also exists when the user clicks on (Not You?) link. Thanks: Arpit Mor for detailled report, Deepak Dixit for discussion ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1848402 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10676) When editing product backlog items, inserted javascript code was executed on the client side. The confirmational blinking of the newly added or changed value was implemented using the .html(value) function of jQuery. This causes the html to be interpreted and the script to be executed. But the data is stored, converting it into html, so not considered to be a vulnerability. The fix changes the call to .text. This prevents the html to be interpreted. Thanks Benjamin Jugl for providing the patch which I applied manually for 16.11 because of path conflicts. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1848443 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Missing nullcheck in service createContactListParty. (OFBIZ-10653) This fix adds a nullcheck for the partyEmail and provides a better errorMessage for the in-request service call. In addition the failing partyID will be logged for the admin to see. Thanks Dennis Balkir for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1848446 13f79535-47bb-0310-9956-ffa450edef68

=== Seed data sequence bug regarding "MIDNIGHT_DAILY" TemporalExpression. (OFBIZ-10533) The TemporalExpression for "MIDNIGHT_DAILY" has to be loaded as seed data instead of initial-seed data to be available for other seed-initial usages of this TemporalExpression. The fix moves this TemporalExpression to the other TemporalExpression seed data in ServiceSeedData.xml. Thanks Martin Becker for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1848451 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Inconsistent behaviour of ServiceDispatcher.checkAuth (OFBIZ-10712) We have checkAuth method in service dispatcher class, this method performs multiple auth related check. if all checks passed it call the modelService.makeValid method to prepare service context (line#960) but this code executed only when service definition has a permission service call. If service does not have any permission service call then it does not call the modelService.makeValid and this may cause the service validation issue unknown parameter found. Ideally modelService.makeValid should call irrespective to permission service check. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849196 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: EntityUtilProperties.getProperties method should use cache. (OFBIZ-10717) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849198 13f79535-47bb-0310-9956-ffa450edef68

…UpdateBillingAddress service. (OFBIZ-10588) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849516 13f79535-47bb-0310-9956-ffa450edef68

…e UI. (OFBIZ-9746) Thanks Rohit Rai for reporting the issue and Jacques Le Roux, Devanshu Vyas Rishi Solanki for the discussion. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849517 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10580) Thanks Anushi Gupta for reporting, Saurabh Dixit for providing the patch and Jacques Le Roux for reviewing it. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849520 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10713) Thanks Sebastian Wachinger for reporting and Anushi Gupta for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849524 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: The child event added is not listed in the Child Work Efforts. While if we add an existing event it is listed in the WorkEffort component, applied patch from jira issue (OFBIZ-10111) Thanks, Rubia Elza Joshep and Pradeep Choudhary for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849530 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10668) Thanks Dikpal Kanungo for reporting and Prakhar Kumar for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849534 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Remove all the fk dependencies from stats entities to the business entities (OFBIZ-10721) stats related entities foreign key relation has been removed by Jacopo at r#1647271 and new group org.apache.ofbiz.stats introduced for stats related entity. Some remnants were still left in stats entities. Removed relations of Party, ContactMech and Content from ServerHit entity. Removed relations of Content from ServerHitBin entity. Removed relations of UserLogin from Visitor entity. Thanks Jacques Le Roux and Deepak Dixit for the review. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849541 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10736) Length of date in any formate will always be 10 (2(DD)+1(/)+2(MM)+1(/)+4(YYYY)) Thanks, Aditi Patidar for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849544 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1849567 | jleroux | 2018-12-22 20:18:49 +0100 (sam. 22 déc. 2018) | 10 lignes Fixed: Dependent dropdowns should be used in createPostalAddress and Set Billing screens of ordermgr. (OFBIZ-10681) If you create an EFT account from the quick finalyse page, at ordermgr/control/createPostalAddress the US states which are proposed by default are not the US states but all states. You still can pick one US state, but it's counter intuitive. Thanks: Aman Mishra for the fix and finding of Set Billing screen ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849570 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1849693 | jleroux | 2018-12-24 15:57:08 +0100 (lun. 24 déc. 2018) | 13 lignes Fixed: Having condition is ignored on queryList() and queryFirst() calls in EntityQuery (OFBIZ-9890) queryList() and queryFirst() both call internal private query() method. This method calls delegator.findList if a normal Entity/ViewEntity is used (not a DVE). DVE has no option to include a having condition and so must opt to use queryIterator(). Even queryCount() can use a having condition. Thanks: Rupert Howell and Gareth Carter for report, Prakhar Kumar for discussion and Gareth Carter for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1849695 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1850015 | jleroux | 2018-12-31 07:38:36 +0100 (lun. 31 déc. 2018) | 16 lignes Improved: Prepare the migration to XStream 1.5 (OFBIZ-10756) Fixes CVE-2018-17200 We currently use the UnsupportedClassConverter method in UtilXml class. When the 1.5 version of XStream will be available another way to handle this kind of things will be available and used by default. It's already possible to use the same with the 1.4 version of XStream with its setupDefaultSecurity method. So this replaces the UnsupportedClassConverter in UtilXml class by XStream::setupDefaultSecurity method. It's an improvement but better to backport it as much as possible The UtilXmlTests class and its use is removed and the UnsupportedClassConverter method deprecated (no use OOTB) ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850017 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10756) Fixes CVE-2018-17200 Updates XStream to 1.4.11.1 The previous version was not already supporting XStream::setupDefaultSecurity git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850019 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1850023 | jleroux | 2018-12-31 10:09:33 +0100 (lun. 31 déc. 2018) | 12 lignes Improved: Product Promo Worker description patch (OFBIZ-3907) Completes initial work from Sascha Rodekamp Returns promoName then promoText if promoName absent then and "No promotion name nor text" if either are present. We lose the information in promoText but at least it's correctly rendered in invoices PDF and accounting component. Thanks: Scott for report ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850026 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1850530 | jleroux | 2019-01-06 09:40:38 +0100 (dim. 06 janv. 2019) | 8 lignes Fixed: Impossible secure and autologin cookie names when mountpoint contains a slash inside its name (OFBIZ-10766) When you set a mountpoint which contains a slash inside its name (ie not only a slash as a trailer, which is possible), as it's needed with OFBIZ-10765, OFBiz tries to create a cookie with a slash in its name and that's impossible ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850533 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10770) Fixes CVE-2019-0189 This is an easy doing, we just need to add compile 'commons-fileupload:commons-fileupload:1.3-3' to the build.gradle file. So far the dependency was not given directly but by other dependencies git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850640 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1850685 | jleroux | 2019-01-07 21:37:10 +0100 (lun. 07 janv. 2019) | 8 lignes Fixed: Impossible secure and autologin cookie names when mountpoint contains a slash inside its name (OFBIZ-10766) My previous commit was wrong this one fixes it. I made a mistake trying to generalise changing UtilHttp::getApplicationName. This method is used in other places where the name should not be changed. Only cookies are concerned. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850688 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Unable to add additional product images from catalog (OFBIZ-10673) Removed code that was unused after r1081272, as logic to prepare the fileLocation was modified at r1081272 Thanks Rohit Koushal and Ingo Wolfmayr for your contribution git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850922 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Wrong German translation in PartyUiLabels (OFBIZ-10786) Thanks Dennis Balkir for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1850952 13f79535-47bb-0310-9956-ffa450edef68

=== git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851005 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10788) git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851028 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1850914 | paulfoxworthy | 2019-01-10 04:32:33 +0100 (jeu. 10 janv. 2019) | 7 lignes Fixed: In packing, only use reservations with stock on hand (OFBIZ-9677) During packing, OFBiz looks for reservations (OrderItemShipGrpInvRes) for the order item. Some reservations are for back ordered items not on hand. These reservations should not be used during packing, but they are. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851165 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1851200 | jleroux | 2019-01-13 14:31:13 +0100 (dim. 13 janv. 2019) | 11 lignes Reverted: Impossible secure and autologin cookie names when mountpoint contains a slash inside its name (OFBIZ-10766) In my previous commit I reverted the initial change. As I said in the Jira I had a second look and it's better to fix the problem at the root as I did initially. I wrote in my previous commit: "This method is used in other places where the name should not be changed." I checked there are no issues changing slashes to underscores in the cookies names anywhere. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851202 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1851247 | jleroux | 2019-01-14 14:53:18 +0100 (lun. 14 janv. 2019) | 13 lignes Fixed: User's name is displayed on ecommerce even after user logs out (OFBIZ-10666) On further investigation, I found that cookie path and domain are different in the methods of creating the auto-login cookie i.e. LoginWorker.autoLoginSet() and removing the auto-login cookie i.e. LoginWorker.autoLoginRemove(). After following changes the issue seems to be fixed: 1. Removed getMaxAge() check from the condition used in LoginWorker.getAutoUserLoginId() method. 2. Corrected the path and domain in the method LoginWorker.autoLoginRemove(). Thanks: Deepak Nigam for discussion and fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851250 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1851319 | jleroux | 2019-01-15 08:43:36 +0100 (mar. 15 janv. 2019) | 12 lignes Fixed: partyId misses in EditEftAccount.ftl (party) when you create an EFT account from the quick finalize page (OFBIZ-10680) If you split the payment and want to create an EFT account you get an error in EditEftAccount.ftl (party) at line 40 colum 50: the partyId is missing. Adds the patch to add the partyId field that was missing while creating an EFT account or credit card in split payment mode. Added proper checks to avoid the broken screen in case the parameter is missing. Thanks: Ankit Joshi for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851322 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-9677) During packing, OFBiz looks for reservations (OrderItemShipGrpInvRes) for the order item. Some reservations are for back ordered items not on hand. These reservations should not be used during packing, but they are. Fixed bug in r1850914 when a single reservation's quantity exactly matches the quantity to pack. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851357 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: EntitySync Push and Pull functionalities (OFBIZ-10818) Removed unneccessary service implementation and used entity-auto Fixed some create/update code block in the flow git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1851882 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1851998 | jleroux | 2019-01-24 09:17:38 +0100 (jeu. 24 janv. 2019) | 11 lignes Fixed: Impossible secure and autologin cookie names when mountpoint contains a slash inside its name (OFBIZ-10766) Deepak Nigam reported on dev ML: When there is one web app with the empty mount point (i.e. deployed on root), the auto-login cookie will not work for that particular webapp due to the change in the path of the cookie from "/" to "/" + applicationName. Because the system will try to find the cookie at the "/" but it is actually at "/" + applicationName. Thanks Deepak for report ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1852001 13f79535-47bb-0310-9956-ffa450edef68

…ontains a slash inside its name (OFBIZ-10766) Forgot to create applicationName in r1852001, this fixes it git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1852003 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Services of EntitySync Push and Pull functionalities (OFBIZ-10818) Set transaction timeout of 2hrs for the actual data transmission services. Removed unwanted service updateEntitySyncRunning Called the tracking and status update services in new transaction so that record can be maintain after current transaction rollback git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1852681 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Html escaping missing for portalPageId parameter of Help button (OFBIZ-10828) Thanks, Niels Heinen of the Google security team for reporting the issue. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1852821 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Alignment issue at Catalog Manager page. (OFBIZ-9461) Thanks Sanjay Yadav and Humera Khan for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1852824 13f79535-47bb-0310-9956-ffa450edef68

… checkout page (OFBIZ-10827) Manually backported to release16.11 (committed in the trunk at rev 1852988) Thanks: Ravi Lodhi for reporting the issue and Pawan Verma for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1853003 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1853070 | jleroux | 2019-02-06 13:52:20 +0100 (mer. 06 févr. 2019) | 13 lignes Fixed: URL not encoding in FTL (OFBIZ-10816) I have created Product as TEST#01 in demo site and attached the Same to category 101. In the category master searched for category 101 went to product tab, when I am trying to open a product master, link is generated like and asking for creating new product. But in product search and menu click is working fine problem is from ftl url are not getting encoded...Don`t know whats happening on FTL printing.... jleroux: fixes also catalog/control/EditProduct?productId=test%2301 (for test#1) Thanks: Murugeswari for report and Pawan Verma for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1853075 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1853691 | jleroux | 2019-02-16 10:42:03 +0100 (sam. 16 févr. 2019) | 9 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1853695 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1853745 | jleroux | 2019-02-17 13:38:06 +0100 (dim. 17 févr. 2019) | 8 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list I used was not complete. This adds "java.util.HashMap", "Boolean", "Number", "Integer" which are the ones missing I found so far. Maybe other classes could still miss OOTB. So I added a warning in SafeObjectInputStream::resolveClass ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1853748 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1853750 | jleroux | 2019-02-17 13:46:56 +0100 (dim. 17 févr. 2019) | 15 lignes Fixed: Add To Order button not working on shopping list screen (OFBIZ-10836) Steps to generate: 1.Navigate to https://demo-trunk.ofbiz.apache.org/ordermgr/control/orderentry 2.Add any finished good to the order. 3.Select New Shopping List from Add Order Items To Shopping List section. 4.Click on Add To Shopping List. 5.Now Click on Add To Order button ahead of any product in that shopping list. 6.Error message displays on the screen Thanks: Rohit Hukkeri jleroux: note that there is another issue popping up when testing this issue. It's related with OFBIZ-10418 and maybe OFBIZ-5157 ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1853753 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1854306 | jleroux | 2019-02-25 11:33:53 +0100 (lun. 25 févr. 2019) | 6 lignes Improved: no functional change A missing space before CommonBranch label made the word trunkbranch instead of trunk branch. I'll backport this ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1854309 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1854457 | jleroux | 2019-02-27 14:01:59 +0100 (mer. 27 févr. 2019) | 9 lignes Fixed: No userLogin given in calculateProductPrice service call context (OFBIZ-10842) The call context for calculateProductPrice doesn't contain the userLogin This is needed in the customPriceCalcService So currently there's no chance to get the user information in a custom price calc service. Thanks: Danny Trunk for the proposition (I changed the code myself) ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1854460 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Service failed to mark expired authorized payments of Authorize.net as void. (OFBIZ-10727) Thanks Amit Gadaley for reporting the issue and providing the patch, thanks Jacopo for discussion and feedback. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855080 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10826) Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295). git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855095 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1855287 | jleroux | 2019-03-12 09:29:37 +0100 (mar. 12 mars 2019) | 10 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list was still not complete as reported by Rohit at OFBIZ-10573 This adds FlexibleStringExpander It seems the warning in SafeObjectInputStream::resolveClass is not enough. Anyway I'll not change it. Thanks: Rohit Koushal ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855290 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1855371 | jleroux | 2019-03-13 09:19:32 +0100 (mer. 13 mars 2019) | 10 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list was still not complete as reported by Deepak at OFBIZ-10837 This adds sun.util.calendar.ZoneInfo It seems the warning in SafeObjectInputStream::resolveClass is not enough. Anyway I'll not change it. Thanks: Deepak Dexit ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855374 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: simpleTypeConvert always returns Null for Document, Document Type and Notation Node (OFBIZ-10832) As per the code, getTextContent() method is used get text content of the node and its descendants but the node.getTextContent() always return Null for the following Node type DOCUMENT_NODE, DOCUMENT_TYPE_NODE, NOTATION_NODE [1] Since we can't get the text value of Document, Document Type and Notation Node, thus simply return the same object. [1] https://docs.oracle.com/javase/7/docs/api/org/w3c/dom/Node.html#getTextContent() Thanks: Deepak Dixit for reviewing the code. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855412 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1855488 | jleroux | 2019-03-14 08:42:17 +0100 (jeu. 14 mars 2019) | 11 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.sql.Timestamp It seems the warning in SafeObjectInputStream::resolveClass is not enough. Anyway I'll not change it. Thanks: Wolfgang Rauchholz ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855491 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1855492 | jleroux | 2019-03-14 09:28:27 +0100 (jeu. 14 mars 2019) | 11 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.util.Date It seems the warning in SafeObjectInputStream::resolveClass is not enough. Anyway I'll not change it. Thanks: Wolfgang Rauchholz ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855495 13f79535-47bb-0310-9956-ffa450edef68

=== Reverted: Changes done at r#1854306, Removed the extra space from CommonBranch uiLabel values git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855500 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Added line separator while while generating svn/git info footer. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855504 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Moved the nodeType check after node.getTextContent() method call (OFBIZ-10832) Since most nodes will contain text then it will be more efficient to do a null check after retrieving nodeValue. Thanks: Scott for your valuable inputs. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1855901 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10873) The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. Actually it's from 8.5.37 to 8.5.38 in R16 git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856216 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1856405 | jleroux | 2019-03-27 15:16:24 +0100 (mer. 27 mars 2019) | 12 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.math.BigDecimal and "[B" (ie [B == byte[] and I don't understand why in this case "byte[]" does not work) It seems the warning in SafeObjectInputStream::resolveClass is not enough. Anyway I'll not change it. Thanks: Ingo Wolfmayr at OFBIZ-10870 ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856408 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1856455 | jleroux | 2019-03-28 08:50:32 +0100 (jeu. 28 mars 2019) | 7 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list was still not complete as reported by Ed Mack This adds all arrays of primitives and java.math.BigDecimal Thanks: Ed Mack at OFBIZ-10876 ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856458 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1856460 | jleroux | 2019-03-28 09:30:21 +0100 (jeu. 28 mars 2019) | 10 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 There was a recurring typo in previous commit. For arrays of primitives it should be "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C" and not "[Z","[B","[S","[I","[J","[F","[D","[C" It shows how tired I'm :/ ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856463 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1856484 | jleroux | 2019-03-28 16:36:13 +0100 (jeu. 28 mars 2019) | 13 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 The white list was still not complete as reported by Ed Mack This adds org.apache.ofbiz.widget.model.ModelTheme java.util.Collections java.util.LinkedList java.util.ArrayList java.util.TimeZonz Thanks: Ed Mack at OFBIZ-10876 ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856487 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Missing oldStatusId in error when no status valid change record found (OFBIZ-10377) In the case of entity auto service, when an invalid status change is performed, the error message doesn't show the current status of the item from which the user is changing the status. Thanks: Lalit Dashora for reporting the issue and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856601 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Error message is populating while clicking on product barcode. (OFBIZ-10743) Used code128 to generate product barcode. Thanks Ashish Sharma for reporting, everyone who participated in discussion and Pawan Verma for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856621 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1856667 | jleroux | 2019-03-31 11:14:16 +0200 (dim. 31 mars 2019) | 10 lignes Fixed: EmailServices.sendMail causes a NPE, when sendFrom is missing (OFBIZ-10706) I tried to find the history for why the service does not take the defaultFromEmailAddress property from general.properties and I found that It was last modified in revision r418498 on 02/07/2006, I think it was always broken. This uses defaultFromEmailAddress property in sendMail if sendFrom is missing Thanks: Benjanmin Jugl reported, Pawan Verma fixed and others for discussion ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1856670 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1857180 | jleroux | 2019-04-09 13:58:22 +0200 (mar. 09 avr. 2019) | 19 lignes Fixed: Quick Add button for shopping list on Orderentry screen is not working (OFBIZ-9908) Steps to generate 1. Navigate to https://demo-trunk.ofbiz.apache.org/ordermgr/control/orderentry 2. Press continue on sales order screen. 3. Add any finished good product to the sales order 4. In 'Add Order Items to Shopping List' section, select 'new shopping list' from the drop down and click on 'Add to shopping list' button 5. you navigate to 'addBulkToShoppingList' screen, click on 'Quick Add' button. Issue: The quick add button is not working. jleroux: as suggested by Ankush: "One of possible workaround is calling createShoppingList with new transaction to resolve this deadlock issue." This just does that for every calls. Thanks: Garima jain for report, Rohit Hukkeri for discussion and Ankush Upadhyay for fix suggestion ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857184 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1857213 | jleroux | 2019-04-09 17:31:50 +0200 (mar. 09 avr. 2019) | 4 lignes Fixed: Quick Add button for shopping list on Orderentry screen is not working (OFBIZ-9908) Fixes typos introduced with previous commit ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857216 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10757) As discussed on dev ML (https://markmail.org/message/wgy6cjzhv5auy52q) we need to inform users about the consequences of keeping on using Oracle Java. We also suggest to use adoptopenjdk instead of Oracle JDK Thanks to all who discussed on dev ML git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857381 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1857392 | jleroux | 2019-04-12 11:29:03 +0200 (ven. 12 avr. 2019) | 14 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 Cleans and simplifies things in UtilObject.java and also handles patterns. That's what we missed most when needing to update. Fixes typos in SafeObjectInputStream class and add a commented line for a WIP in resolveProxyClass method Also includes work done in UtilObject.java for OFBIZ-9855 "Using try-with-resources with File IO Objects." ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857395 13f79535-47bb-0310-9956-ffa450edef68

…mage by mocked request git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857457 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1857099 | jleroux | 2019-04-08 11:17:55 +0200 (lun. 08 avr. 2019) | 12 lignes Improved: Using try-with-resources with File IO Objects. (OFBIZ-9855) Uses try with resources for File IO objects like ObjectInputStream and other objects. File classes have the AutoCloseable interface. jleroux: this is only a part of the 2nd patch. The 1st patch will be committed soon too... All tests pass Thanks: Pradhan Yash Sharma ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857488 13f79535-47bb-0310-9956-ffa450edef68

…n applications/order/ (OFBIZ-10926) When you edit an order linked to an other order like drop shipment process, shopping cart lost the connexion. The problem came from ShoppingCart.makeAllOrderItemAssociations() function that prepared all generic value OrderItemAssoc without toOrderId. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857608 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Wrong permission check in ProductScreens#FindProduct (OFBIZ-10925) Thanks Dennis Balkir for your contribution The permission service acctgAgreementPermissionCheck is used in the screen FindProduct in ProductScreens.xml. This doesn't really make sense, since there is no connection to the accounting application here. There was the service productGenericPermission which could have been used instead, but this one calls the simple-method checkProductRelatedPermission, which then check for the CATALOG permission. Since this is already done in the CommonProductDecorator before, it would not make any sense to do this a second time. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857621 13f79535-47bb-0310-9956-ffa450edef68

…mAttributes (OFBIZ-10929) When you clone a ShoppingCartItem by constructor : ShoppingCartItem sci = new ShoppingCartItem(ShoppingCartItem item) The ShoppingCartItem.orderItemAttributes wasn't propage from origin. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857660 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1857692 | jleroux | 2019-04-17 18:19:00 +0200 (mer. 17 avr. 2019) | 5 lignes Fixed: Stores can't be modified at ofbizsetup/control/updateProductStore (OFBIZ-10930) Same than parent issue (OFBIZ-10567) but in ofbizsetup component (which should have been names setup BTW, I created a setup component for that in Jira) ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857695 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: If the picklist cancelation process failed, the picklist item shouldn't be marked as cancel (OFBIZ-4690) When a transaction is running in which Picklist entity is updated (i.e. canceled), now if the transaction is rollback the picklist status will not be changed but as per previous code, the picklist item's status will get updated i.e. marked as cancel because we called the cancelPicklistAndItems service in async mode So the situation here was the Picklist is not canceled, but the Picklist items were marked as cancel. Thus to fix it, call the cancelPicklistAndItems service in sync mode. Thanks: Jacques Le Roux for your thoughts. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1857816 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858141 | jleroux | 2019-04-25 16:27:36 +0200 (jeu. 25 avr. 2019) | 11 lignes Fixed: Ensure html verbosity is following general setup (OFBIZ-10940) Currently the configuration of the Birt and Scrum component does not follow the - de facto - standard of having the html code reference the OFBiz widget and templates. See [1] vs [2] [1] view-source:https://demo-trunk.ofbiz.apache.org/birt/control/main [2] view-source:https://demo-trunk.ofbiz.apache.org/accounting/control/main Thanks: Pierre Smits ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858144 13f79535-47bb-0310-9956-ffa450edef68

…ng a project. (OFBIZ-10927) Thanks Pierre Smits for reporting, Pawan Verma for the patch and Jacques for review. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858249 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Customer Party getting set as 'organizationPartyId' in one the Account transaction for Customer return invoice. (OFBIZ-10856) Thanks Chinmay Patidar for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858253 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858275 | jleroux | 2019-04-27 15:33:44 +0200 (sam. 27 avr. 2019) | 18 lignes Fixed: Display of entities in text input field for Product Name (OFBIZ-10356) In the url: catalog/control/EditProductContent?productId=GZ-1006-1 the "Product Name" under "Override Simple Fields" is unnecessarily expressed in entity format . The string displayed in product name field is: "Open Gizmo (LGPL)" it could have been a simple "Open Gizmo (LGPL)" jleroux: this was due to OFBIZ-248 when StringUtil.wrapString() was not yet available (IIRW) Thanks: Rajesh Kumar Mallah for report, Swapnil M Mane for discussion, and Ankit Joshi for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858278 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10913) Thanks Pierre Smits for repoting, Deepak Dixit for comments/findings and Pawan Verma for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858288 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858312 | jleroux | 2019-04-28 12:51:46 +0200 (dim. 28 avr. 2019) | 17 lignes Fixed: Remove link is not working in shopping list (OFBIZ-10967) Steps to reproduce 1. Login with valid username and password. 2. Navigate to ecommerce. 2.1 Adds product/s to the cart 2.2 Add it/them in a shopping list. 4. Navigate to shopping list section. 5. Click on link “Remove" Expected Result: Product should be removed from shopping list. Actual Result: Remove link is not working. jleroux: OFBIZ-7291 broke it. That can be tested on old demo (R13) Fixed by using a simple submit field Thanks: Ashish Sharma for report ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858316 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: createProductFeature service ignoring passed productFeatureId parameter (OFBIZ-10958) In the change, used override tag instead of attribute. And set the optional true in INOUT mode for productFeatureId. But since we are using entity-auto productFeatureId will be always available (either user provide it and if not passed by the user, system will autogenerate it), thus it will be always OUT. Additional Notes: Here we can't make a changes mentioned below, because, for *optional* field's value, invokeCreate method (internally calling isIn and IsOut methods of ModelParam) of EntityAutoEngine.java consider the attribute (override) defined at last for parameters with the same name. i.e. for below example, optional value for productFeatureId for mode IN will be false (but it is defined true) {code} <override name=productFeatureId type=String mode=IN optional=true/> <override name=productFeatureId type=String mode=OUT optional=false/> {code} Due to this, isSinglePkIn (in invokeCreate method) field got false value, and the system will auto-generate the productFeatureId and ignore the user's input. Similarly, we can't write in this way {code} <override name=productFeatureId type=String mode=OUT optional=false/> <override name=productFeatureId type=String mode=IN optional=true/> {code} Because in this case, isSinglePkOut (in invokeCreate method) field got false value, and again the system will auto-generate the productFeatureId and ignore the user's input. Thanks: Ulrich Heidfeld for reporting the issue and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858322 13f79535-47bb-0310-9956-ffa450edef68

=== [Fixed]: Added permission checks to three blog/forum services; improved the configuration for the "add article forum" form (the source tab is not needed in the ecommerce application). Fixes CVE-2019-10073 git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858438 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858444 | jleroux | 2019-04-30 18:23:56 +0200 (mar. 30 avr. 2019) | 34 lignes Fixed: Unknown request [images]; this request does not exist or cannot be called directly. (OFBIZ-10895) This error happens in many occasions: Inside another request (eg LookupProduct) Of after a request (eg login) It shows only in log and have no effect on UI. Notably the new feature normally showing an error message in trunk (OFBIZ-10753) does not shows It happens in all supported releases. IIRW it always happened, only URLs like https://demo-trunk.ofbiz.apache.org/images/defaultImage.jpg work. But here it's different because we don't need to call https://demo-trunk.ofbiz.apache.org/images by hand to get the issue in log. So it's not very bad since it's has no side effects, just weird and annoying. Because it might hide something undetected yet... This issue does not appear in R15, a good place to test is for instance ordermgr/control/request. There cal.gif is called by /images/cal.gif and it works (the images appears) but in more recent versions the call is also done to /ordermgr/control/images/cal.gif where it fails. This 1st appears in ControlFilter in the stack trace. As said Deepak Dixit: I think we need to fix the image url in css file, it should start with /images, else browser append this in request info. There is nothing related to java or tomcat code. This is a 1st commit for the errors I already reported and I'm sure about Common-theme does not exist here so some have been handled by hand Thanks: Deepak ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858448 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858523 | lektran | 2019-05-02 10:59:11 +0200 (jeu. 02 mai 2019) | 1 ligne Fixed: Ensure the story field in ordermgr's EditCustRequest form is html encoded (OFBIZ-11006) Fixes CVE-2019-10074 ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858533 13f79535-47bb-0310-9956-ffa450edef68

=== Improved: Replaced permission-service with required-permissions in order to perform permission checks in a way that is more consistent with the screen permissions set in the ecommerce blog/forum screens. Fixes CVE-2019-10073 git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858543 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1857088 | mthl | 2019-04-08 00:11:53 +0200 (lun. 08 avr. 2019) | 6 lignes Fixed: Remove redundant interface declaration (OFBIZ-10910) ‘java.io.ObjectInputStream’ already implements the ‘AutoCloseable’ interface, so there is no need to declare it in ‘SafeObjectInputStream’ which extends this class. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858868 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-11004) Overriding a synchronized method with a non-synchronized one can introduce potential runtime concurrency bugs. Since ‘ExtendedProperties#loadFromXML’ is overridding ‘Properties#loadFromXML’ which is synchronized, it is safer to mark it as synchonized. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858930 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10187) This makes the sanitizing enabled/disabled by configuration and enhances the functionality to support custom sanitizer policies. A reasonable example policy class is also included. Thanks Dennis Balkir for reporting and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858968 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858965 | jleroux | 2019-05-09 08:05:05 +0200 (jeu. 09 mai 2019) | 18 lignes Fixed: Product content management screen doesn't validate trusted users' input (OFBIZ-10054) Steps to recreate: 1) go to (authenticate with admin/ofbiz): https://localhost:8443/catalog/control/EditProductContent?productId=WG-1111 2) set the content of the field labeled "Large Image" to: non_existent.foo" onerror="alert('Hi!'); 3) visit the url: https://localhost:8443/ecommerce/control/product?product_id=WG-1111 A popup message will appear with the "Hi!". jleroux: This is fixed by preventing any js event to be passed Thanks: Loris Nardo for report, Jacopo and Gregory for discussion ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858969 13f79535-47bb-0310-9956-ffa450edef68

I'm not sure why but I need to add compile 'org.apache.commons:commons-lang3:3.9' here, while it's not necessary in trunk, R17 and R18, weird git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858977 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858933 | mthl | 2019-05-08 19:09:25 +0200 (mer. 08 mai 2019) | 5 lignes Improved: Rewrite ‘CustomPermissivePolicy#matchesEither’ static method (OFBIZ-10187) It now uses a lambda expression instead of an anonymous class. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858978 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1858980 | jleroux | 2019-05-09 11:17:08 +0200 (jeu. 09 mai 2019) | 4 lignes Fixed: OWASP sanitizer breaks proper rendering of HTML code (OFBIZ-10187) By default we now use a permissive sanitizer policy ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1858983 13f79535-47bb-0310-9956-ffa450edef68

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859015 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859012 | jleroux | 2019-05-09 16:32:35 +0200 (jeu. 09 mai 2019) | 6 lignes Fixed: Touch F8 in webpos does not work and generate an error (OFBIZ-11010) Adds missing data for POS_SALES_CHANNEL fix this issue, was removed in r1754402. Thanks: Pawan Verma ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859016 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859033 | jleroux | 2019-05-09 21:46:07 +0200 (jeu. 09 mai 2019) | 21 lignes Fixed: Update invoice item looses invoice context (OFBIZ-11009) When clicking the "update" button on an invoice item the context to the invoice (invoiceId) is lost. The result is an empty form to add a new invoice item without invoice context. Go to /accounting/control/listInvoiceItems?invoiceId=demo10001 Click on "update" below the existing items. You will then be redirect to /accounting/control/listInvoiceItems (without invoiceId). You will not see the invoice items as the context to the invoice is gone. jleroux: the same existed for budget items. As Ingo mentioned: <<It was broken by OFBIZ-9997: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam>> Now we need to check all changes done for OFBIZ-9997 Thanks: Ingo Wolfmayr for report and fix proposition ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859036 13f79535-47bb-0310-9956-ffa450edef68

Fixes typos git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859090 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Issue in function getVariantSelectionFeatures of ProductWorker.java (OFBIZ-11029) Check should be isVirtual instead of productId. Also handled a NullPointerException for variantProduct. Thanks Denglong Zhou for reporting the issue, Pawan Verma for the patch and Suraj Khurana & Jacques Le Roux for the review git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859258 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859543 | jleroux | 2019-05-20 12:10:34 +0200 (lun. 20 mai 2019) | 24 lignes Fixed: Redirection of pathAlias to aliasTo does not work properly (OFBIZ-11018) Link of discussion: https://markmail.org/message/s37whdteejqdzkha In CMS, we can redirect the user to different path alias using 'aliasTo' field of WebSitePathAlias entity. As per my observation, the content for "newDemoHome" is rendered properly (as expected) but the URL of the page (in browser) doesn't change. We should also update the URL also, i.e. change browser URL from Example - <WebSitePathAlias aliasTo="demoPage2" fromDate="2016-06-09 13:37:30.43" pathAlias="demoHome2" webSiteId="CmsSite"/> <WebSitePathAlias contentId="CMSS_DEMO_PAGE1" fromDate="2016-06-09 13:37:30.43" pathAlias="demoPage2" webSiteId="CmsSite"/> Based on the above data, if the user hit the URL https://localhost:8443/cmssite/cms/demoHome2 the CMS should internally render the content for 'DemoHome2' at https://localhost:8443/cmssite/cms/demoPage2 Thanks: Pawan Verma ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859546 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859571 | jleroux | 2019-05-20 19:14:43 +0200 (lun. 20 mai 2019) | 22 lignes Fixed: field emplFromDate is forgot in PayHistory entity (OFBIZ-11028) Arpit Mor: steps to regenerate: Login to the URL: https://demo-trunk.ofbiz.apache.org/humanres/control/main Click on Employments Click on New Employments Click on Create Actual: Error message is displayed. Olivier Heintz: employment is associated with PayHistory, and there is a problem in PayHistory entity definition in OFBiz, In PayHistory, the field fromDate from Employment is confused with fromDate about the current record. A Employment can have multiple PayHistories and should have multiple because PayHistory should show history of Pay for a employment ! It's necessary to have a field emplFromDate (to have the complete employment primaryKey). When modifying a PayRecord the current should be expire and a new one should be created. Thanks: Arpit Mor for report at OFBIZ-10969 and Olivier Heintz for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859574 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859576 | jleroux | 2019-05-20 20:02:09 +0200 (lun. 20 mai 2019) | 15 lignes Fixed: Unknown request [images]; this request does not exist or cannot be called directly. (OFBIZ-10895) This error happens in many occasions. It shows only in log and have no effect on UI. It happens in all supported releases. So it's not very bad since it's has no side effects. As said Deepak Dixit: I think we need to fix the image url in css file, it should start with /images, else browser append this in request info. There is nothing related to java or tomcat code. I finally decided to do a whole change, here it is ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859579 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859691 | jleroux | 2019-05-22 09:39:08 +0200 (mer. 22 mai 2019) | 15 lignes Fixed: It's impossible to create more than 1 ProductManufacturingRule (OFBIZ-11047) In a previous commit for OFBIZ-9997 I wrote: >DeleteProductManufacturingRule seems weird to me because I don't understand how >to create several Manufacturing Rules. I'll check Sharan's book :) I checked Sharan's book and there is nothing about it It also shows ManufacturingMachineGroupIdAlreadyExist ("Fixed Asset Group ID doesn't exist") when you try to create one using manually the AddProductManufacturingRule service which makes no sense. This fixes it by adding the necessary in BomForms.xml and fixing addProductManufacturingRule which was wrong from start (pre Apache era) ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859695 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859704 | jleroux | 2019-05-22 10:59:45 +0200 (mer. 22 mai 2019) | 8 lignes Fixed: When you select a ProductManufacturingRule if several exist only the one selected will show multiple times in the list (OFBIZ-11048) When you select a ProductManufacturingRule if several exist only the one selected will show multiple times in the list This was due to a wrong usage of auto-fields-service, from pre Apache era ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859707 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859735 | jleroux | 2019-05-22 18:41:04 +0200 (mer. 22 mai 2019) | 12 lignes Fixed: massPrintOrders service does not work (OFBIZ-11049) This problem was similar to what was resolved by r1806237 for OFBIZ-9138. This fixes it by using the same solution than in r1806237. If the visual theme is unknown in the the service context get the default theme from general.properties using ThemeFactory::resolveTheme. sendPrintFromScreen, createFileFromScreen, sendBirtMail, getXslFo and printReportPdf (in example) were concerned ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859740 13f79535-47bb-0310-9956-ffa450edef68

R16 is not concerned (common theme did not exist then) "Applied fix from trunk framework for revision: 1859735 " ------------------------------------------------------------------------ r1859735 | jleroux | 2019-05-22 18:41:04 +0200 (mer. 22 mai 2019) | 12 lignes Fixed: massPrintOrders service does not work (OFBIZ-11049) This problem was similar to what was resolved by r1806237 for OFBIZ-9138. This fixes it by using the same solution than in r1806237. If the visual theme is unknown in the the service context get the default theme from general.properties using ThemeFactory::resolveTheme. sendPrintFromScreen, createFileFromScreen, sendBirtMail, getXslFo and printReportPdf (in example) were concerned ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859741 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859796 | jleroux | 2019-05-23 18:33:26 +0200 (jeu. 23 mai 2019) | 5 lignes Fixed: Mass actions in FindOrders.ftl don't keep parameters (OFBIZ-11052) This adds a missing ampersand after requestParameters.hideFields?default("N") when needed ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859799 13f79535-47bb-0310-9956-ffa450edef68

Some handled by hand ------------------------------------------------------------------------ r1859807 | jleroux | 2019-05-23 18:41:59 +0200 (jeu. 23 mai 2019) | 5 lignes Fixed: Unknown request [images]; this request does not exist or cannot be called directly. (OFBIZ-10895) This should be the last commit, but I can't be sure. So I'll continue to monitor the demos logs... ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859811 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859871 | jleroux | 2019-05-24 15:24:31 +0200 (ven. 24 mai 2019) | 14 lignes Fixed: OWASP sanitizer breaks proper rendering of HTML code (OFBIZ-10187) After a discussion with Dennis, I checked and the pattern ONSITE_URL would be useless without .allowAttributes("background").matching(ONSITE_URL) .onElements("table") .allowAttributes("background").matching(ONSITE_URL) .onElements("td", "th", "tr") So here they are Thanks: Dennis Balkir for discussion ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859874 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859877 | jleroux | 2019-05-24 15:47:08 +0200 (ven. 24 mai 2019) | 10 lignes Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe" (OFBIZ-5254) This was reopened after discussion at https://markmail.org/message/jnaitmwahjcjmdn5 This is a new solution which follows the work done with OFBIZ-6669 and OFBIZ-10187 Roughly said, it uses org.owasp.html.PolicyFactory and org.owasp.html.Sanitizers Thanks: Christoph Neuroth for report ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859880 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859882 | jleroux | 2019-05-24 16:16:39 +0200 (ven. 24 mai 2019) | 5 lignes Improved: no functional change Javadoc was unhappy: CustomPermissivePolicy.java:13: error: element not closed: blockquote ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859885 13f79535-47bb-0310-9956-ffa450edef68

Handled by hand ------------------------------------------------------------------------ r1859893 | jleroux | 2019-05-24 19:15:04 +0200 (ven. 24 mai 2019) | 4 lignes Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe" (OFBIZ-5254) Once again forgot to commit this changes in plugins :/ ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859896 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859968 | jleroux | 2019-05-25 15:25:34 +0200 (sam. 25 mai 2019) | 16 lignes Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe" (OFBIZ-5254) The testCreateNewRequest was failing due to escaped single quotes in related data in OrderTypeData.xml: subject="OFBiz - Your Request is received: '${custRequestName}' #CR${custRequestId}" This was a peculiar case that could be generalised to all escapable characters. The general solution is to compare the original value with the filtered value unescaped in UtilCodec::checkStringForHtmlSafe. BTW, weirdly enough StringEscapeUtils::escapeHtml4 does not escape single quote. Another weirdness is the test was passing with plugins data loaded. This is due to duplicated demo data in scrumTypeData.xml (which is actually not only type data, as ever the scrum component is a mess, that's not new and always wonder if we should not get rid of it!) ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859971 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1859981 | jleroux | 2019-05-25 16:24:30 +0200 (sam. 25 mai 2019) | 14 lignes Fixed: Runtime error exceptions at Leads page (OFBIZ-11059) Step to recreate issue - Login to https://demo-trunk.ofbiz.apache.org/ordermgr/control/main Application > SFA SFA > Lead Manager Leads > Click on All Leads button Application throw Runtime error exception in My Leads section. Thanks: Sanjay Yadav for report, Kumar Rahul for the fix and Pierre Smits for help on Jira issue ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1859987 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: CSS Styling for Party Content progress bar is wrong in multiple theme. (OFBIZ-10797) Thanks Ayushi Rathod for reporting the issue and providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860085 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1860141 | jleroux | 2019-05-27 18:28:32 +0200 (lun. 27 mai 2019) | 13 lignes Fixed: Edit WebSite Path Alias is not working (OFBIZ-11022) Steps to regenerate: Login into content Select any website(Preferably CmsSite as it has pathAlias) Click on pathAlias tab Select any pathAlias to edit See edit option is not available on screen, Create option is available which is creating new pathAlias instead of edit. Thanks: Pawan Verma ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860144 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Corrected the navigation of 'To Facility ID' on the inventory transfer screen (OFBIZ-10992) Steps to regenerate: 1.) Go to Facilities. 2.) Select Inventory Xfers option. 3.) Create Transfer Inventory Item from any Warehouse. 4.) Navigate to Transfer Inventory overview screen https://localhost:8443/facility/control/TransferInventoryItem?inventoryTransferId=10001 5.) 'Facility Id To' link is not redirecting to correct facility Thanks: Pawan Verma and Aishwary Shrivastava for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860277 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1860357 | jleroux | 2019-05-29 18:29:31 +0200 (mer. 29 mai 2019) | 14 lignes Fixed: Gradle eclipse task - classpath modification (Add exclusion for <OFBiz>/framework/base/config and <OFBiz>/framework/base/dtd) (OFBIZ-11071) Eclipse task removes all classpath entries that affects following entries also - * <OFBiz>/framework/base/config * <OFBiz>/framework/base/dtd These two entries are essential to start OFBiz successfully. Developer has to manually add these entries back to start OFBiz from IDE. Following this discussion: https://s.apache.org/baoT Thanks: Girish Vasmatkar ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860360 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1860526 | jleroux | 2019-06-02 15:10:36 +0200 (dim. 02 juin 2019) | 11 lignes Fixed: Unknown request [images]; this request does not exist or cannot be called directly. (OFBIZ-10895) I was wrong doing massive changes w/o close control. I decided to revert the r1859576 and r1859807 commits and to backport the revert The only safe way to go is to not only check the error log for "Unknown request [...." but also to look for 404 in access log, not all request show erroneously in error log/ ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860529 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: removed override directives to let the system perform proper validation of user input. Fixes CVE-2019-10073 git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860595 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-11090) Parameters vlaue should be escaped to avoid any kind of corss site scripting issue. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860600 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: fine tuned the sanitization of user input by allowing "safe" content; thanks to Jacques for the suggestion. Fixes CVE-2019-10073 git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860616 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Wrong page title displayed on contact us page of ecommerce (OFBIZ-11062) Thanks Arpit Mor and Ayushi Rathod for your contribution git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860651 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Profile of contact person not shown on quick add of contact in SFA. (OFBIZ-7816) Issue occurred due to missing redirect parameter. Thanks Rohit Hukkeri for providing the updated patch and everyone else for their contribution in this ticket. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860800 13f79535-47bb-0310-9956-ffa450edef68

…le adding item to cart. > (OFBIZ-10885) Thanks Ravi Lodhi for reporting and Nitish Mishra for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1860807 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10678) 1. For solving CVE-2015-9251 and CVE-2019-11358, upgraded jQuery to 3.4.1 and jQuery migrate to 3.0.0 2. Replaced broken library Fancybox with Featherlight. Added custom css so that cursor for links becomes pointer Thanks Jacques Le Roux for the reviews git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861566 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: typo in the NOTICE file content git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861618 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Issue with Status of invoice. (OFBIZ-10310) Cause: Missing statusId in parameters. Thanks Aayush Jain for reporting and Devanshu Vyas for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861841 13f79535-47bb-0310-9956-ffa450edef68

Fixed: Getting an error while creating event from SFA without providing event name. (OFBIZ-11109) Thanks Harman Kaur Matharu for reporting and Aditi Patidar for providing the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861844 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10900) Thanks Pierre Smits for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861852 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Issue in which Ecommerce anonymous contactus was having wrong fromAddress. (OFBIZ-10844) As per my understanding, sendFrom email cannot be the customer's email address. Email settings for this email are maintained at ProductStoreEmailSetting with CONT_NOTI_EMAIL as emailType and like other notifications, we should use ProductStoreEmailSetting.fromAddress to send this email which is configurable. Thanks: Schumann Ye for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861862 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1861869 | jleroux | 2019-06-22 16:19:09 +0200 (sam. 22 juin 2019) | 15 lignes Fixed: Logo image not showing on party profile (OFBIZ-9299) Logo image not displayed until we press in content component Logo image was not showing on party profile page because we were using Ajax request to add party content on the party profile screen. So due to ajax request screen was not getting refreshed. To display logo image we did the following changes: 1) Removed ajax request and rendered profile view screen after submit 2) Used ofbizUrl macro to show an image instead of /content/control/stream URL Thanks: Moatasim Al Masri for reporting, Mohammed Rehan Khan for fixing ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861872 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10858) Issue 1: 1. Open https://demo-trunk.ofbiz.apache.org/ecomseo 2. Click on a category from the Categories section 3. Refresh the page Actual: 1. Last Categories is blank 2. If we refresh the page then only the search category visible with the last row blank with a bullet. Issue 2: 1. Open https://demo-trunk.ofbiz.apache.org/ecomseo 2. Click on a category from the Categories section 3. Again, open the https://demo-trunk.ofbiz.apache.org/ecomseo in the new tab Actual: 1st row is blank with searched categories As per the initial observation, the issue persists for some specific categories like Dropship Products, Account Activation and Services. For all other categories, the last categories section is populated correctly. So there could be some issue with the data. Thanks: Rashi Dhagat for reporting, Priya Sharma for the fix git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1861989 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1862046 | jleroux | 2019-06-25 11:44:54 +0200 (mar. 25 juin 2019) | 1 ligne Reverted: it was not supposed to be committed, "wrong button" while backporting ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1862049 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1862207 | jleroux | 2019-06-27 14:03:21 +0200 (jeu. 27 juin 2019) | 8 lignes Fixed: Export XML data, ,o proper error message displayed if user misses to select entities (OFBIZ-11125) No Proper error message is displayed if user misses to select entities from the list, and throw error message Thanks: Jayansh Shinde ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1862210 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1862271 | jleroux | 2019-06-28 11:39:44 +0200 (ven. 28 juin 2019) | 11 lignes fixed: supplierProductId Should Have Consistent Types Across Entities. (OFBIZ-10150) During some data migration I hit an issue where my data for supplierProductId was too long. So I looked up the fields and noticed that the order item entity had a different type for the field than the supplier product entity. jleroux: we should do it for all cases Thanks: jesse thomas for report and Rohit Hukkeri for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1862274 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1862278 | jleroux | 2019-06-28 13:53:55 +0200 (ven. 28 juin 2019) | 17 lignes Fixed: User should be notified with success message on MRP run in manufacturing component (OFBIZ-9533) Steps to regenerate: 1. Go to Manufacturing component (manufacturing/control/main) 2. Click on Mrp sub menu (manufacturing/control/FindInventoryEventPlan) 3. Click on Run Mrp button.(manufacturing/control/RunMrp) 4. Select Facility/Facility Group and Click Submit button. On success, the user should be notified with success message like "Mrp run is scheduled". jleroux: despite being a sub-task of an improvement I decided to backport. It works well and nothing could go wrong, only UI changes. Thanks: Aditya Sharma for report, Humera Khan for the fix, Prachi Shastri for testing and Pierre Smits for noticing this could be backported (despite being a sub-task of an improvement) ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1862281 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1862466 | jleroux | 2019-07-03 15:30:28 +0200 (mer. 03 juil. 2019) | 20 lignes Fixed: Error message is displayed when user having space in username logs in at ecommerce (OFBIZ-10671) Steps to regenerate: # Open URL: [https://demo-trunk.ofbiz.apache.org/ecommerce/control/main] # Click on register in header section # Provide all the mandatory information but provide a user name such that is contains a space (like: Walter White or Jesse Pinkman) # Click on save button Actual: When user clicks on save button then he is redirected to main page of ecommerce and an error message is displayed. Similarly when user with space in username tries to login, error message is displayed. Praven: Added standard regex for username allowed alphabets, numbers, and _- jleroux: actually "-" was missing in the regepx definition. Thanks: Arpit Mor for report and Praveen Sharma for the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1862474 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1862648 | jleroux | 2019-07-06 11:42:46 +0200 (sam. 06 juil. 2019) | 14 lignes Fixed: Error message is displayed when user having space in username logs in at ecommerce (OFBIZ-10671) Pierre pointed out that the NotValidUserName label NL translation was wrong and proposed a right one. Looking at it closer EN and FR were not totally right either. I have fixed them. Before committing, I wondered if we should remove all other languages, then English would be used. Or if we let it as is for users of these languages to propose a fix, as Pierre did. I'm more for the later, then end users who don't speak English would at least have something they can read and possibly amend. Thanks: Pierre Smits ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1862651 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1835871 | surajk | 2018-07-14 07:35:44 +0200 (sam. 14 juil. 2018) | 10 lignes Improved: All existing party contact mechs should be deleted before creating new one. (OFBIZ-10396) Currently, everywhere in code base, before creating new party contact mech record, we use deletePartyContactMechPurposeIfExists service to delete old records. But, problem is <first-from-list is used everywhere which only deletes first fetched record. All previous records should also gets deleted before creating new party contact mech purpose for a specific purpose type. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1863474 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1863560 | jleroux | 2019-07-22 17:21:14 +0200 (lun. 22 juil. 2019) | 37 lignes Fixed: Unknown request [images]; this request does not exist or cannot be called directly. (OFBIZ-10895) Today Olivier reported directly to me that there was an issue in HR: <<If you go to humanres, at the level of the tree that appears the icons to expand the tree no longer appear (but you can click...) This is due to the path of the d.png image which is wrong in the css file (there is too much image in the path)>> I should have seen it because the d.png file is, with other related image files, in the same directory than style.css. And there was an inconsistency in the style.css files regarding the d.png file path. We should note that we have still this error in log: 2019-07-22 16:25:26,275 |jsse-nio-8443-exec-7 |ControlServlet |E| Error in request handler: org.apache.ofbiz.webapp.control.RequestHandlerException: Unknown request [d.png]; this request does not exist or cannot be called directly. at org.apache.ofbiz.webapp.control.RequestHandler.doRequest (RequestHandler.java:277) ~[ofbiz.jar:?] As I wrote in my last commit for OFBIZ-10895: The only safe way to go is to not only check the error log for "Unknown request [...." but also to look for 404 in access log, not all request show erroneously in error log. Some error appears before the user is logged in, as I wrote in the Jira: <<I noticed that this error message often appears before login. A 404 can be seen in the access log and then once logged the issue no longer exists (ie we get a 200). I have no yet investigated why...>> Nevertheless, I want to remove this misleading error message. I hope I'll do that before forgetting. Thanks: Olivier Heintz ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1863563 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10639) The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on their computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not. The EU Cookie Legislation began as a directive from the European Union. Some variation on the policy has since been adopted by all countries within the EU. The EU Cookie Legislation requires 4 actions from website owners who use cookies: 1. When someone visits your website, you need to let them know that your site uses cookies. 2. You need to provide detailed information regarding how that cookie data will be utilized. 3. You need to provide visitors with some means of accepting or refusing the use of cookies in your site. 4. If they refuse, you need to ensure that cookies will not be placed on their machine. Used cookie bar plugin to implement the feature. Implemented localization with createJsLanguageFileMapping service and custom jquery-cookieBar-en-US.js file under localization folder. Fixed output file path in createJsLanguageFileMapping service. Thanks Deepak Nigam for initiating and providing initial patch. Thanks Deepak Nigam, Pierre Smits, Michael Brohl, Jacques Le Roux and Swapnil M Mane for inputs. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1864199 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-11146) The ListVisualTheme page uses LookupDecorator and in the absence of any shortcut icon the browser hits favicon.ico file by default. Additional change: Fixed path for title.gif specific to Flatgrey theme git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1864214 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1864716 | jleroux | 2019-08-08 17:28:45 +0200 (jeu. 08 août 2019) | 15 lignes Fixed: [FB] Find Security Bugs (OFBIZ-9973) FindBugs is now deprecated and replaced by Spotbugs Last time I forgot to encode productId as reported by Man Yue Mo from Semmle This eventually fixes the "Relative path traversal" issue reported by Spotbugs by encoding the whole file name. Nevertheless Spotbugs continues to report the same issue in trunk but not in R16 I have not ideas why and I see no other possible issue. I will backport and check again. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1864719 13f79535-47bb-0310-9956-ffa450edef68

requirements. (OFBIZ-10145) Remove gradle-wrapper.jar and other automatically generated files in preparation for the new release. Upgraded build.gradle to remove deprecated directives that do not work with recent versions of Gradle. Updated the README notes according to the new prerequisites for building our product. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1864797 13f79535-47bb-0310-9956-ffa450edef68

…. 1864797 in preparation for the new release since they are required by the CI scripts; as discussed in the dev list they will be removed by the release files only. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1864806 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1864881 | jleroux | 2019-08-10 17:51:19 +0200 (sam. 10 août 2019) | 7 lignes Fixed: [FB] Find Security Bugs (OFBIZ-9973) This fixes an issue in FrameImage::uploadFrame which was reported by Man Yue Mo as described in OFBIZ-9973 I finally decided to follow OWASP advice about using normalize() ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1864884 13f79535-47bb-0310-9956-ffa450edef68

Updates the README.md.html for 16.11.06 git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1864933 13f79535-47bb-0310-9956-ffa450edef68

…add a step to our build notes (OFBIZ-10145) As discussed on dev ML we will use the init-gradle-wrapper script also in R16.11 Here are the files, not tested and missing the file in Bintray git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1865396 13f79535-47bb-0310-9956-ffa450edef68

When you run 'sh gradle/init-gradle-wrapper.sh', if the script gradlew at the OFBiz root isn't present we download it from bintray. I also update shasum fingerprint for gradle-wrapper.jar and gradle-wrapper.properties related to 16.10 release. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1865546 13f79535-47bb-0310-9956-ffa450edef68

…wrapper file. Improvements to comments and messages in the init-gradle-wrapper.sh script. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1865605 13f79535-47bb-0310-9956-ffa450edef68

…home Updates README file for instructions to run init-gradle-wrapper in Windows git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1865736 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Order status history should show party id instead of user login id (OFBIZ-11121) Thanks: Ashish Kumar Pandey for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1865815 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-11013) Added missing partyTypeId data for the Scrum Parties. Thanks: Pierre Smits for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1865835 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1865883 | jleroux | 2019-08-25 11:48:31 +0200 (dim. 25 août 2019) | 8 lignes Fixed: UiLabel is missing for Web Analytics Type on content component (OFBIZ-11170) Steps to reproduce content/control/EditWebAnalyticsConfig?webSiteId=WebStoreClone On that Web Analytics Type UiLabel is missing. Thanks: Rahul Marjiwe ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1865886 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1866259 | jleroux | 2019-09-02 09:32:48 +0200 (lun. 02 sept. 2019) | 10 lignes Fixed: NotSerializableException after uploading images to an order (OFBIZ-11123) In a lot of services we use the ByteBuffer object to upload files. When a such service is used with the redirect-parameter in a controller the ByteBuffer needs to be serialized. Unfortunately ByteBuffer (in our case its subclass HeapByteBuffer) is not serializable. So that can't work. Fortunately no redirect-parameter concerns uploadedFile so we can safely remove it from reqAttrMap in RequestHandler ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866262 13f79535-47bb-0310-9956-ffa450edef68

…e OS git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866454 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1865852 | pawan | 2019-08-24 16:28:57 +0200 (sam. 24 août 2019) | 8 lignes Fixed: Issue of unable to view a PartyContent on view profile page of a party (OFBIZ-11038) When click on view button img request will be hit along with contentName and imgId as a parameter. This request invokes serveImage event(DataEvents.java) which is deprecated now. Instead of img request we can call stream request with contentId as a parameter that invokes serveObjectData event. This will work as per the value of content-disposition-type (requestHandler.properties) i.e. attachement or inline Thanks: Devanshu Vyas for reporting the issue and Humera Khan for the patch and Prachi Shastri for testing of the bug. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866592 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1866834 | jleroux | 2019-09-12 09:49:41 +0200 (jeu. 12 sept. 2019) | 8 lignes Improved: Improve ObjectInputStream class (OFBIZ-10837) Fixes CVE-2019-0189 Allows users to easily override the list of accepted objects by using the listOfSafeObjectsForInputStream property CVE-2019-0189 ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866837 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1866890 | jleroux | 2019-09-13 12:15:03 +0200 (ven. 13 sept. 2019) | 8 lignes Improved: FindArInvoices request needs performance improvement regarding use of EntityListIterator::hasNext method (OFBIZ-11198) FindAPInvoices request does not suffer from this issue nor findInvoice request. This was due to <screen name="FindArInvoices"> definition Using something similar than <screen name="FindApInvoices"> fixes the issue ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866893 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1866920 | jleroux | 2019-09-14 10:19:18 +0200 (sam. 14 sept. 2019) | 18 lignes Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile (OFBIZ-11196) These are not really path traversal issues. We can't solve them using the traditional way to fix path traversal issues (ie normalising path). Because Fetchlogs and ViewFile are actually reading files and if you have the right to read these files then nothing will prevent you to read them. The problem is more what those requests are supposed to do. Fetchlogs is supposed to read a log in the log dir and ViewFile is supposed to read a file containing labels (ie either an XML or Properties file). So the solution is to allow these requests to only do what they are supposed to do. This is what is done in ViewFile and FetLogs Groovy files. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866923 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-10751) Copy manually all files from trunk because of weird conflicts git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866940 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1866986 | jleroux | 2019-09-16 10:20:46 +0200 (lun. 16 sept. 2019) | 4 lignes Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile (OFBIZ-11196) Fixes a typo which was crashing webtools/control/LogView ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1866989 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1867099 | jleroux | 2019-09-18 09:29:18 +0200 (mer. 18 sept. 2019) | 17 lignes Fixed: Error in log when looking for parties at partymgr/control/main (OFBIZ-11201) There is this a (long stack trace) error in log (only), mostly java.lang.ClassCastException: java.util.ArrayList cannot be cast to java.util.Map at org.apache.ofbiz.base.util.string.UelFunctions.getSize(UelFunctions.java:318) I did not notice any other effect, so the fix only cleans the log. It's actually an issue in ListParty grid with this line: <set field="userLoginSize" value="${util:size(logins)}" type="Integer"/> This fixes it by replacing by <set field="userLoginSize" value="${groovy:logins.size()}"/> ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867102 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1867585 | jleroux | 2019-09-26 17:38:52 +0200 (jeu. 26 sept. 2019) | 9 lignes Fixed: Error in log when looking for parties at partymgr/control/main (OFBIZ-11201) These are similar issues in Minilang than the one fixed initially for <set field="userLoginSize" value="${util:size(logins)}" type="Integer"/> Fixed by replacing by <set field="userLoginSize" value="${groovy:logins.size()}"/> ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867588 13f79535-47bb-0310-9956-ffa450edef68

(OFBIZ-11122) Corrected template location path. Thanks Shikha Jaiswal for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867661 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: User is unable to update the review of product (OFBIZ-10799) Redirected request with eligible parameters so that If the user had a search using any parameter result should persist after the update. Thanks: Ashish Sharma for report and Pierre Smits and Jacques Le Roux for the review. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867907 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Sales By Store Report not working (OFBIZ-11119) Added Null check to avoid Exception. Thanks: Chandan Khandelwal for your contribution. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867913 13f79535-47bb-0310-9956-ffa450edef68

=== Fixed: Check run payment(A/P) transactions not getting available for reconciliation (OFBIZ-10796) Check run payment group transactions don't get available for Financial Account reconciliation. Though the financial account balance gets updated during the A/P check run process, the system must allow the user with an additional step of reconciling the transactions. The cause of this is that the financial account transaction doesn't get created in the 'Created' status and has an 'Approved' status. An approved status financial transaction directly updates the financial account balance and thus don't appear in the list of the transactions to be reconciled. Thanks: Chinmay Patidar for your contribution and Pierre Smits for the review. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867933 13f79535-47bb-0310-9956-ffa450edef68

=== 'At least one phone number is required below' message should be uneditable while creating new customer using partymgr (OFBIZ-11113) Thanks: Arpit Mor for report and Saurabh Dixit for the patch. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867939 13f79535-47bb-0310-9956-ffa450edef68

=== Reverted: User is unable to update the review of product (OFBIZ-10799) Reverted rev 1867904 Thanks: Deepak Dixit for reporting the issue. git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1867975 13f79535-47bb-0310-9956-ffa450edef68

As reported by Ethan Vos on user ML, sometimes the alias between wget and Invoke-WebRequest is not present on Windows 7, better keep it simple! Also removes the comment: Anyway I believe this should be only used in dev environment which is no longer true git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1868000 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1868298 | jleroux | 2019-10-11 18:45:16 +0200 (ven. 11 oct. 2019) | 20 lignes Fixed: NotSerializableException after uploading images to an order (OFBIZ-11123) I found that using in r1866259 the same fix than Si Chen used in OFBIZ-750 was wrong. The code just above this fix is {code:java} if (obj instanceof Serializable) { reqAttrMap.put(name, obj); } {code} The problem with this code is that if does not handle inner Maps which may contain a non Serializable Object. So the solution is rather to get one level deeper and apply the same. We can then remove the harcoded lines with "uploadedFile" and "_REQUEST_HANDLER_" below. Then all possible cases are handled as long as we have not inner-inner-Maps ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1868301 13f79535-47bb-0310-9956-ffa450edef68

Just better English in message git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1868424 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1868545 | jleroux | 2019-10-17 14:19:33 +0200 (jeu. 17 oct. 2019) | 16 lignes Fixed: EditExample always update status, because current Status not shown (OFBIZ-11230) In the EditExample Form, the drop-down is populates with the Valid change status only. So current status is not in the list and the status print in the drop-down is the next authorized. I want to modify exampleName or exampleType, I go to editExample and change what I want and validate. The problem is status is also changed! There are 12 other same or similar cases. For the first of them (in FinAccount) there is the same bug: when I change FinAccount Name, status change too. If I add current="first-in-list" in the tag drop-down it works jleroux: Quote is a peculiar case due to OFBIZ-7337 which was a wrong fix Thanks: Oliver for the analysis and the fix ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1868550 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1868545 | jleroux | 2019-10-17 14:19:33 +0200 (jeu. 17 oct. 2019) | 16 lignes Fixed: EditExample always update status, because current Status not shown (OFBIZ-11230) In the EditExample Form, the drop-down is populates with the Valid change status only. So current status is not in the list and the status print in the drop-down is the next authorized. I want to modify exampleName or exampleType, I go to editExample and change what I want and validate. The problem is status is also changed! There are 12 other same or similar cases. For the first of them (in FinAccount) there is the same bug: when I change FinAccount Name, status change too. If I add current="first-in-list" in the tag drop-down it works jleroux: Quote is a peculiar case due to OFBIZ-7337 which was a wrong fix Thanks: Oliver for the analysis and the fix ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1868551 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1868553 | jleroux | 2019-10-17 16:26:42 +0200 (jeu. 17 oct. 2019) | 14 lignes Fixed: FTL error for purchase order with Bulk Item Type (OFBIZ-11252) Steps to regenerate: 1. Login into the ordermgr application and click on Order Entry tab 2. Create PO with any supplier 3. Fill details and click on Continue 4. Now select Product Category with Item type Bulk and add the description and Click on add to order 5. Finalize order with Finalize Order button 6. Add Term type, ship group option, etc details and create Order. 7. Scroll down to Order Items section and See the FTL error on the screen. Thanks: Devanshu Vyas ------------------------------------------------------------------------ git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1868556 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1868611 | jleroux | 2019-10-19 08:42:07 +0200 (sam. 19 oct. 2019) | 11 lignes Improved: Handling tenant in XmlRpcEventHandler (OFBIZ-10284) The XMLRPC service does not support tenants. Even if the tenant domain is included in the HTTP request the call does not affect the correct tenant. The issue and fix has been discussed in in the thread https://markmail.org/message/bz4dofrxqp6i7ove jleroux: I was able to port the R16 patch provided by Rajesh to the trunk. Thanks: Rajesh Kumar Mallah ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1868614 13f79535-47bb-0310-9956-ffa450edef68

------------------------------------------------------------------------ r1869001 | mthl | 2019-10-26 16:42:02 +0200 (sam. 26 oct. 2019) | 9 lignes Fixed: Handle whitelist of serializable classes from properties (OFBIZ-11261) There was a bug regarding the way the ‘ListOfSafeObjectsForInputStream’ value defined in the “SafeObjectInputStream.properties” file was handled. Mistakenly only one class identifier was allowed. Some unit tests have been added to check that the identified bug is fixed. ------------------------------------------------------------------------ � git-svn-id: https://svn.apache.org/repos/asf/ofbiz/branches/release16.11@1869033 13f79535-47bb-0310-9956-ffa450edef68

Release16.11 script language problem #30

Are you sure you want to change the base?

Release16.11 script language problem #30

Commits on Feb 27, 2018

Commits on Mar 9, 2018

Commits on Mar 12, 2018

Commits on Mar 13, 2018

Commits on Mar 15, 2018

Commits on Mar 16, 2018

Commits on Mar 29, 2018

Commits on Apr 4, 2018

Commits on Apr 21, 2018

Commits on Apr 27, 2018

Commits on May 3, 2018

Commits on May 4, 2018

Commits on May 8, 2018

Commits on May 9, 2018

Commits on May 12, 2018

Commits on May 15, 2018

Commits on May 17, 2018

Commits on May 18, 2018

Commits on May 28, 2018

Commits on Jun 1, 2018

Commits on Jun 3, 2018

Commits on Jun 5, 2018

Commits on Jun 8, 2018

Commits on Jun 18, 2018

Commits on Jun 23, 2018

Commits on Jul 6, 2018

Commits on Jul 18, 2018

Commits on Jul 28, 2018

Commits on Aug 7, 2018

Commits on Aug 9, 2018

Commits on Aug 11, 2018

Commits on Aug 14, 2018

Commits on Aug 17, 2018

Commits on Aug 24, 2018

Commits on Aug 31, 2018

Commits on Sep 6, 2018

Commits on Sep 14, 2018

Commits on Sep 22, 2018

Commits on Sep 30, 2018

Commits on Oct 5, 2018

Commits on Oct 9, 2018

Commits on Oct 15, 2018

Commits on Oct 27, 2018

Commits on Nov 1, 2018

Commits on Nov 2, 2018

Commits on Nov 9, 2018

Commits on Nov 14, 2018

Commits on Nov 15, 2018

Commits on Nov 24, 2018

Commits on Nov 25, 2018

Commits on Dec 6, 2018

Commits on Dec 7, 2018

Commits on Dec 8, 2018

Commits on Dec 18, 2018

Commits on Dec 22, 2018

Commits on Dec 24, 2018

Commits on Dec 31, 2018

Commits on Jan 6, 2019

Commits on Jan 7, 2019

Commits on Jan 10, 2019

Commits on Jan 11, 2019

Commits on Jan 12, 2019

Commits on Jan 13, 2019

Commits on Jan 14, 2019

Commits on Jan 15, 2019

Commits on Jan 23, 2019

Commits on Jan 24, 2019

Commits on Feb 1, 2019

Commits on Feb 3, 2019

Commits on Feb 5, 2019

Commits on Feb 6, 2019

Commits on Feb 16, 2019

Commits on Feb 17, 2019

Commits on Feb 25, 2019

Commits on Feb 27, 2019

Commits on Mar 9, 2019

Commits on Mar 12, 2019