Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Security and takeValuesFromRequest()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Security and takeValuesFromRequest()

Subject: Security and takeValuesFromRequest()
From: Nathan Hampton <email@hidden>
Date: Mon, 18 Apr 2005 14:36:47 -0700

I have a situation where some users need to be able to change values for only a sub-set of the keys in an EO, while others may change all values. I did the usual thing -- putting the fields that require higher privileges in a WOConditional -- but then realized that an HTTP request could be created that would include values that the user wasn't authorized to change. As a result, takeValuesFromRequest() would make the changes, even though that user wasn't allowed to do so.

First of all, is this actually possible? If it is, how do I plug the hole? (If it isn't, it's yet another way WO is just that cool.) My immediate idea was to override takeValuesFromRequest() and use KVC to ensure that the only changes in the request are changes the user is allowed to make. Is there a better way to do this?

--NCH

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


Follow-Ups:

Re: Security and takeValuesFromRequest()
From: Jean-François Veillette <email@hidden>
Re: Security and takeValuesFromRequest()
From: "Jerry W. Walker" <email@hidden>
Re: Security and takeValuesFromRequest()
From: Chuck Hill <email@hidden>


Prev by Date:
Re(2): Don't upgrade to 10.3.9!

Next by Date:
Re: Security and takeValuesFromRequest()

Previous by thread:
Re: [ANN] ExistsInRelationshipQualifier: WHERE EXISTS (SELECT 1	FROM A WHERE ...)

Next by thread:
Re: Security and takeValuesFromRequest()

Index(es):

Date
Thread