Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Process Recurring Orders - Security Issue
11-28-2017, 11:17 AM,
#1
Process Recurring Orders - Security Issue
Main Menu > Sales > Process Recurring Orders

After execution the page leaves me without a proper header and credentials. I must log out to start again.

   

   

It appears the code on line 5 in RecurringSalesOrderProcess.php may be the cause because if I comment it out the page works as expected:

Line 5: //$AllowAnyone = true;

I see $AllowAnyone = true; is used in 13 other places in webERP and it appears it is related to background CRON jobs.

We will have recurring orders so this slick feature could be very useful to us. I would really like to know the best way to proceed with resolution of this issue.

Any help or thoughts are greatly appreciated!
https://www.linkedin.com/in/eclipsepaulbecker
Reply
11-28-2017, 01:54 PM, (This post was last modified: 11-28-2017, 02:01 PM by TurboPT.)
#2
RE: Process Recurring Orders - Security Issue
At one point Tim [I believe] had mentioned the desire/need to eliminate the $AllowAnyone, but I don't recall the specifics at the moment. It was primarily the security aspect if I recall correctly, but there might be other reasons.

I'll try to look back for details, but he might stop by before I find the info.

=====

I found some old discussion [2014] about the AllowAnyone here. [scroll down to post #8 is where it starts]
Reply
11-28-2017, 09:59 PM,
#3
RE: Process Recurring Orders - Security Issue
Thank you for your insight into this issue.

I guess I have to ask how and why we have leftovers such as this in the code. I love OS products but it is things like this that make people move away from it.

I am I really the only one who will be using Recurring Orders and has this issue?

Not criticizing... Just asking...
https://www.linkedin.com/in/eclipsepaulbecker
Reply
11-28-2017, 11:35 PM,
#4
RE: Process Recurring Orders - Security Issue
I always remove the $AllowAnyone flag from my customers implementations. To my mind anything that allows all security to be overridden is a _bad_ thing in an accounting application.

As I recall the 2014 thread Paul refers to arose from a Google hangout I had with Exson when he also brought up concerns about this. However as I remember it also meant Phil tried to stop me helping people on this forum so I wont get into it all again.

Tim
Reply
11-29-2017, 01:19 AM,
#5
RE: Process Recurring Orders - Security Issue
Tim - Thank you for your input - Greatly appreciated!
https://www.linkedin.com/in/eclipsepaulbecker
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)