beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryl Olander (JIRA)" <>
Subject [jira] Created: (BEEHIVE-1069) Exposed Properties on PageFlowController can be set by hidden fields in a form
Date Fri, 17 Feb 2006 18:15:25 GMT
Exposed Properties on PageFlowController can be set by  hidden fields in a form

         Key: BEEHIVE-1069
     Project: Beehive
        Type: Bug
  Components: NetUI  
    Versions: 1.0.1    
    Reporter: Daryl Olander
 Assigned to: Carlin Rogers 
    Priority: Blocker
     Fix For: 1.0.1

I have the following form that change the forward path to /bar.jsp

  <netui:form action="submit">
    <netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
    <netui:button value="submit" />

I also have the following action in my page flow.

           @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
    protected Forward submit(Form form)
        return new Forward("index");

If the current page is index.jsp, this should navigate back to that, when the form is submitted
it will navigate to bar.jsp.  In my mind this is actually a security hole.  I can dynamically
change the navigation externally in this situation.  I haven't played around with the other
exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the
same JavaBean that is not immutable.

I'm going to open a Jiri bug on this.  I think this is critical and needs to be fixed now.
 My suggestion is that we rename these methods on the PageFlowController so they aren't picked
up as JavaBean properties.

I suggest we do this to:


We need to spin a new release on this.

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

View raw message