[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12464501
]
David Chandler commented on MYFACES-1467:
-----------------------------------------
Jeff, Cristi, you're absolutely right. There is no conflict between the
required and disabled/readonly attributes--that's what I get for posting after
a long week in another time zone. It is possible to preserve the prior security
benefit as well as restore the old behavior, and I've provided patch2.txt to
that end. In order to beef up the validate() method, I added isDisabled() and
isReadonly() methods which read from the special component attributes map since
not all UIInput components have the readonly and disabled properties.
At first, I was concerned that parameter tampering might be possible when
disabled or readonly is true; however, this is prevented by
HtmlRendererUtils.decodeUIInput, which doesn't set the submitted value if the
component is disabled or readonly, which is no doubt why the unamended spec
said that validation implementations should skip validation if the submitted
value is null. In essence, JSF has always ignored user input for disabled and
readonly components, and the new patch preserves that behavior, while still
preventing parameter tampering if a required value is missing from a component
that is enabled for editing (i.e., not readonly or disabled).
Please give patch2 a whirl. I confirmed that I do not get validation errors
when using both required=true and disabled=true.
> Validation doesn't run for required fields if submitted value is null
> ---------------------------------------------------------------------
>
> Key: MYFACES-1467
> URL: https://issues.apache.org/jira/browse/MYFACES-1467
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT
> Reporter: David Chandler
> Assigned To: Matthias Weßendorf
> Fix For: 1.1.5-SNAPSHOT
>
> Attachments: patch.txt
>
>
> A component with a required value will not fail validation as expected if the
> submitted value is null. This issue is not seen normally because browsers
> send the value for an empty text field as an empty string. That is, the POST
> data for an empty field1 will contain the field name but no value, like
> field1=&field2=something. However, if you use a man-in-the-middle proxy such
> as Paros to remove "fieldname=" from the POST data, the submitted value will
> be null. UIInput.validate() skips validation for null submitted values, but
> since requiredness is also part of validation, the requiredness check gets
> skipped, too.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
