Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: Security and takeValuesFromRequest()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security and takeValuesFromRequest()

Subject: Re: Security and takeValuesFromRequest()
From: Sam Barnum <email@hidden>
Date: Tue, 19 Apr 2005 11:55:13 -0700

You could run into security problems if you were using DirectActions to process your form data, however. Although I have a feeling that that's not the case here. - Sam

On Apr 18, 2005, at 9:23 PM, Chuck Hill wrote:

No, it is not a problem. WO won't "take" any values that were not in the response that it generated. It is not "take all the values from the request" but rather "take the values that I asked for from the request". Put another way, it is a pull not a push technology. The WO form inputs pull the values they need from the request. Anything else is ignored. Anything in a conditional evaluating to false essentially does not exist.
Chuck
At 02:36 PM 18/04/2005 -0700, Nathan Hampton wrote:
I have a situation where some users need to be able to change values for only a sub-set of the keys in an EO, while others may change all values. I did the usual thing -- putting the fields that require higher privileges in a WOConditional -- but then realized that an HTTP request could be created that would include values that the user wasn't authorized to change. As a result, takeValuesFromRequest() would make the changes, even though that user wasn't allowed to do so.
First of all, is this actually possible?  If it is, how do I plug the
hole?  (If it isn't, it's yet another way WO is just that cool.)  My
immediate idea was to override takeValuesFromRequest() and use KVC to
ensure that the only changes in the request are changes the user is
allowed to make.  Is there a better way to do this?
--NCH
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: villag
e.net
This email sent to email@hidden
--
Practical WebObjects - a book for intermediate WebObjects developers
who want to increase their overall knowledge of WebObjects, or those
who are trying to solve specific application development problems.
http://www.global-village.net/products/practical_webobjects
_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: email@hidden

This email sent to email@hidden


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden



References:  
  >Re: Security and takeValuesFromRequest() (From: Chuck Hill <email@hidden>)




Prev by Date:
Re: [ANN] ExistsInRelationshipQualifier: WHERE EXISTS (SELECT 1	FROM A WHERE ...)

Next by Date:
WO Builder and Eclipse not showing images

Previous by thread:
Re: Security and takeValuesFromRequest()

Next by thread:
Re: Security and takeValuesFromRequest()

Index(es):

Date
Thread