myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kevin Galligan" <kgalli...@gmail.com>
Subject Spoofing commandLink
Date Wed, 13 Dec 2006 18:22:33 GMT
I've been wondering something for a little while now.  Some of the crud
style links in my app use 'h:commandLink', with 't:updateActionListener' to
set the particular element id value for that page.  In days past I'd put the
id on the query string, so like ...

/app/DetailPage.do?itemId=1234

Now, obviously, you had to be careful because somebody could change the id
value manually.  With JSF, using t:updateActionListener, can somebody change
the id value sent?  If I'm 100% sure they couldn't, I could relax the access
checking a little.

Most of these links are in t:dataTable's, with preserveDataModel="true".  If
state is kept on the server, or encrypted on client (I think you can do
that, right?), do I have to worry about the user getting access to something
they shouldn't?

Thanks in advance,
-Kevin

Mime
View raw message