Re: action binding with conditionals
Re: action binding with conditionals
- Subject: Re: action binding with conditionals
- From: Jonathan Rochkind <email@hidden>
- Date: Wed, 09 Apr 2003 11:53:27 -0500
At 08:44 PM 4/8/2003 -0700, Chuck Hill wrote:
A WOConditional considers that it does not have any children if the value
it is bound to returns false. Thus you must be careful changing this value
during the takeValues phase as the WOConditional will "disown" its children
if the condition becomes false.
And, it's worth mentioning again, that whether intentional or not, this
serves a security purpose. It means that no potential attacker can make up
an elementID to put in a URL to invoke an action that is inside a
conditional whose value is false---that is, a conditional whose contents
are not supposed to be available on the web page.
If it weren't for this 'feature', a potential attacker could forge an
elementID to invoke an action that is not supposed to be invokeable from
the web page at all, because it's inside a conditional that's false. I
frequently put functionality in a conditional, such that the conditional is
only true if the user has privileges to access the functionality. Were it
not for this 'feature', the user could forge an elementID to access it anyway.
I'm not sure if this was intentional in the design of WOConditional or
not. I wouldn't be surprised if it was. At any rate, even with all the
trouble it can cause developers, I consider it a fortunate design.
--Jonathan
My usual way of handling these situations is to set a flag during
takeValues and check it and change the values in appendToResponse before
calling super. This also applied to the situation of removing items from
an array bound to a WOReptition. Doing so in takeValues (due to a box
being checked for example) can lead to errors in later phases. This also
must be delayed.
Chuck
At 09:26 AM 08/04/2003 -1000, Art Isbell wrote:
>On Tuesday, April 8, 2003, at 06:14 AM, Richard L. Peskin wrote:
>
>> I think my confusion is that a
>> WOComponent (e.g. Submit button) is an object and the action is bound
>> to that object. The "event" (pressing the button) is handled by the
>> user's browser (doing the usual form data submission, etc.). It looks
>> like this button press sends a message to the Submit button object,
>> which in turn will deal with bound actions depending on conditionals.
>> Does this sound correct?
>
> For me, it's easier to consider what happens during WO's component
>template parsing. If the evaluation of a conditional results in the
>button that was clicked not being parsed in the template, then the
>action associated with the button won't be invoked. While one might be
>able to make sense out of this behavior by thinking of it in
>object-oriented terms, I'm not confident that this view would always
>lead to the correct interpretation. It's unfortunate that WO's rather
>low-level operations should be understood well, but considering what
>NeXT's WO designers were able to accomplish using the rather archaic
>Web architecture, it's rather amazing that things work as well as they
>do.
>
>Aloha,
>Art
>_______________________________________________
>webobjects-dev mailing list | email@hidden
>Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/webobjects-dev
>Do not post admin requests to the list. They will be ignored.
>
--
Chuck Hill email@hidden
Global Village Consulting Inc. http://www.global-village.net
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.
_______________________________________________
webobjects-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/webobjects-dev
Do not post admin requests to the list. They will be ignored.