• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Security and takeValuesFromRequest()
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security and takeValuesFromRequest()


  • Subject: Re: Security and takeValuesFromRequest()
  • From: Sam Barnum <email@hidden>
  • Date: Tue, 19 Apr 2005 11:55:13 -0700

You could run into security problems if you were using DirectActions to process your form data, however. Although I have a feeling that that's not the case here.
- Sam


On Apr 18, 2005, at 9:23 PM, Chuck Hill wrote:

No, it is not a problem. WO won't "take" any values that were not in the
response that it generated. It is not "take all the values from the
request" but rather "take the values that I asked for from the request".
Put another way, it is a pull not a push technology. The WO form inputs
pull the values they need from the request. Anything else is ignored.
Anything in a conditional evaluating to false essentially does not exist.


Chuck

At 02:36 PM 18/04/2005 -0700, Nathan Hampton wrote:
I have a situation where some users need to be able to change values
for only a sub-set of the keys in an EO, while others may change all
values. I did the usual thing -- putting the fields that require
higher privileges in a WOConditional -- but then realized that an HTTP
request could be created that would include values that the user wasn't
authorized to change. As a result, takeValuesFromRequest() would make
the changes, even though that user wasn't allowed to do so.


First of all, is this actually possible?  If it is, how do I plug the
hole?  (If it isn't, it's yet another way WO is just that cool.)  My
immediate idea was to override takeValuesFromRequest() and use KVC to
ensure that the only changes in the request are changes the user is
allowed to make.  Is there a better way to do this?

--NCH

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
villag
e.net

This email sent to email@hidden


--

Practical WebObjects - a book for intermediate WebObjects developers
who want to increase their overall knowledge of WebObjects, or those
who are trying to solve specific application development problems.
http://www.global-village.net/products/practical_webobjects


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
email@hidden


This email sent to email@hidden

_______________________________________________ Do not post admin requests to the list. They will be ignored. Webobjects-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
References: 
 >Re: Security and takeValuesFromRequest() (From: Chuck Hill <email@hidden>)

  • Prev by Date: Re: [ANN] ExistsInRelationshipQualifier: WHERE EXISTS (SELECT 1 FROM A WHERE ...)
  • Next by Date: WO Builder and Eclipse not showing images
  • Previous by thread: Re: Security and takeValuesFromRequest()
  • Next by thread: Re: Security and takeValuesFromRequest()
  • Index(es):
    • Date
    • Thread