headers
turtle | 4 Aug 2012 00:09
Favicon

Quick common.pl and action ?

Greetings and happy summer!
I have a quick question regarding common.pl lines:

28 	my  <at> common_attrs = qw(
29 	dbh login favicon stylesheet titlebar password custom_db_fields vc
30 	);

Why is the forms action removed from the form at this point?
I am working on a older 1.2.X custom version where removing
$form->{action} here breaks all kinds of buttons like add AP transaction
on the vendor page.

Adding action to the loop makes them work again:

28 	my  <at> common_attrs = qw(
29 	dbh login favicon stylesheet titlebar password custom_db_fields vc
action.
30 	);

Thanks in advance
Turtle

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Chris Travers | 4 Aug 2012 08:16
Picon

Re: Quick common.pl and action ?

On Fri, Aug 3, 2012 at 3:09 PM,  <turtle@...> wrote:
> Greetings and happy summer!
> I have a quick question regarding common.pl lines:
>
> 28      my  <at> common_attrs = qw(
> 29      dbh login favicon stylesheet titlebar password custom_db_fields vc
> 30      );
>

Hi Turtle

Reviewing this you are probably right.  action should be preserved.  I
can add this to the 1.2 branch which is still supported for now, as
well as the 1.3 and trunk branches.  Would you like a reference in the
CONRIBUTORS file?

Best Wishes,
Chris Travers

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
turtle | 4 Aug 2012 18:09
Favicon

Re: Quick common.pl and action ?

Well sure however I haven't tested everything if that would break
something somewhere else.
Like for instance if you had a action hidden in the form and used
common.pl to wipe it.
But since common.pl is pure Ledgersmb you would know.

One more question:
Is there a security reason for having db querrys in pm's and not pl's?
Or just cleaner coding?

Cheers
Turtle

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Chris Travers | 5 Aug 2012 03:09

Re: Quick common.pl and action ?

On Sat, Aug 4, 2012 at 9:09 AM,  <turtle@...> wrote:
> Well sure however I haven't tested everything if that would break
> something somewhere else.
> Like for instance if you had a action hidden in the form and used
> common.pl to wipe it.
> But since common.pl is pure Ledgersmb you would know.

Well, the one issue that has come to my mind after the fact is what
happens when action is part of the callback.  I think we have been
moving away from this but I will need to find an example and track it.
 Maybe it would be safest to make these properties conditional
overwrites (i.e. overwritten unless provided in the callback, at least
for action)?

Best Wishes,
Chris Travers
>
>
> One more question:
> Is there a security reason for having db querrys in pm's and not pl's?
> Or just cleaner coding?
>
> Cheers
> Turtle
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
(Continue reading)

Permalink | Reply |
headers
Chris Travers | 5 Aug 2012 04:17
Picon

Re: Quick common.pl and action ?

On Sat, Aug 4, 2012 at 9:09 AM,  <turtle@...> wrote:

> One more question:
> Is there a security reason for having db querrys in pm's and not pl's?
> Or just cleaner coding?

No security reason.  I think the reason has to do with code re-use.

Best Wishes,
Chris Travers

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
turtle | 5 Aug 2012 04:43
Favicon

Re: Quick common.pl and action ?

Well adding action to that loop in common.pl
causes login to go into an infinite loop :(

Here is some output from my debugger:
login.pl  274sub login
mainbin/login.pl92
LedgerSMB/User.pm sub new Line: 46
Caller: mainbin/login.pl316

LedgerSMB/User.pm sub login Line: 216
Caller: mainbin/login.pl319

LedgerSMB/User.pm sub check_recurring Line: 317
Caller: mainbin/login.pl372

LedgerSMB/Form.pm sub redirect Line: 565
Caller: mainbin/login.pl397

common.pl sub redirect Line: 35
Caller: FormLedgerSMB/Form.pm577

LedgerSMB/Form.pm sub new Line: 57
Caller: maincommon.pl90

LedgerSMB/User.pm sub fetch_config Line: 142
Caller: maincommon.pl103

LedgerSMB/User.pm sub get_baselabor Line: 1093
Caller: LedgerSMB::UserLedgerSMB/User.pm199
(Continue reading)

Permalink | Reply |
headers
Chris Travers | 5 Aug 2012 05:06
Picon

Re: Quick common.pl and action ?

On Sat, Aug 4, 2012 at 7:43 PM,  <turtle@...> wrote:
> Well adding action to that loop in common.pl
> causes login to go into an infinite loop :(
>
Change it to a conditional check.

$form->{action} = $tempvars{action} unless $form->{action} and take it
out of that loop.

Best Wishes,
Chris Travers

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
Chris Travers | 5 Aug 2012 11:52
Picon

Re: Quick common.pl and action ?

Turtle;

Can you try the most recent common.pl in branches/1.2 and see if that
works for you?

The only difference between that and your patch si that if action is
not specified in the callback, it is set to the form's action.  This
should make it safer if any script checks the value of $form->{action}
following the redirect.

Best Wishes,
Chris Travers

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |
headers
turtle | 5 Aug 2012 19:05
Favicon

Re: Quick common.pl and action ?

Works great Thanks!
Oh I did have to add a ; at then end of line 48.
What I did to test:
I checked out:
Path: ledgersmb-1.2
URL: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2
Repository Root: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb
Repository UUID: 4979c152-3d1c-0410-bac9-87ea11338e46
Revision: 5102
And it loaded my test database just fine.
Logged in and posted some transactions.
Much cleaner patch too.

Cheers
Turtle

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Permalink | Reply |

Gmane