• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Security and takeValuesFromRequest()
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security and takeValuesFromRequest()

  • Subject: Re: Security and takeValuesFromRequest()
  • From: Chuck Hill <email@hidden>
  • Date: Mon, 18 Apr 2005 21:23:54 -0700
No, it is not a problem.  WO won't "take" any values that were not in the
response that it generated.  It is not "take all the values from the
request" but rather "take the values that I asked for from the request".
Put another way, it is a pull not a push technology.  The WO form inputs
pull the values they need from the request.  Anything else is ignored.
Anything in a conditional evaluating to false essentially does not exist.

Chuck

At 02:36 PM 18/04/2005 -0700, Nathan Hampton wrote:
>I have a situation where some users need to be able to change values
>for only a sub-set of the keys in an EO, while others may change all
>values.  I did the usual thing -- putting the fields that require
>higher privileges in a WOConditional -- but then realized that an HTTP
>request could be created that would include values that the user wasn't
>authorized to change.  As a result, takeValuesFromRequest() would make
>the changes, even though that user wasn't allowed to do so.
>
>First of all, is this actually possible?  If it is, how do I plug the
>hole?  (If it isn't, it's yet another way WO is just that cool.)  My
>immediate idea was to override takeValuesFromRequest() and use KVC to
>ensure that the only changes in the request are changes the user is
>allowed to make.  Is there a better way to do this?
>
>--NCH
>
> _______________________________________________
>Do not post admin requests to the list. They will be ignored.
>Webobjects-dev mailing list      (email@hidden)
>Help/Unsubscribe/Update your Subscription:
e.net
>
>This email sent to email@hidden
>

--

Practical WebObjects - a book for intermediate WebObjects developers
who want to increase their overall knowledge of WebObjects, or those
who are trying to solve specific application development problems.
http://www.global-village.net/products/practical_webobjects


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • Re: Security and takeValuesFromRequest()
      • From: Sam Barnum <email@hidden>
References: 
 >Security and takeValuesFromRequest() (From: Nathan Hampton <email@hidden>)

  • Prev by Date: Security and takeValuesFromRequest()
  • Next by Date: Re: Security and takeValuesFromRequest()
  • Previous by thread: Security and takeValuesFromRequest()
  • Next by thread: Re: Security and takeValuesFromRequest()
  • Index(es):
    • Date
    • Thread