Exposed Properties on PageFlowController can be set by hidden fields in a form
-------------------------------------------------------------------------------
Key: BEEHIVE-1069
URL: http://issues.apache.org/jira/browse/BEEHIVE-1069
Project: Beehive
Type: Bug
Components: NetUI
Versions: 1.0.1
Reporter: Daryl Olander
Assigned to: Carlin Rogers
Priority: Blocker
Fix For: 1.0.1
I have the following form that change the forward path to /bar.jsp
<netui:form action="submit">
<netui:hidden dataSource="pageFlow.currentPageInfo.forward.path "
dataInput="/bar.jsp"/>
<netui:button value="submit" />
</netui:form>
I also have the following action in my page flow.
@Jpf.Action(
forwards={
@Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
}
)
protected Forward submit(Form form)
{
return new Forward("index");
}
If the current page is index.jsp, this should navigate back to that, when the
form is submitted it will navigate to bar.jsp. In my mind this is actually a
security hole. I can dynamically change the navigation externally in this
situation. I haven't played around with the other exposed properties
(currentPageInfo, previousPageInfo, previousActionInfo) all expose the same
JavaBean that is not immutable.
I'm going to open a Jiri bug on this. I think this is critical and needs to be
fixed now. My suggestion is that we rename these methods on the
PageFlowController so they aren't picked up as JavaBean properties.
I suggest we do this to:
currentPageInfo
previousPageInfo
previousActionInfo
modeulConfig
actions
We need to spin a new release on this.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
