Hi Moritz, The use case for bypass_validation is for working with dynamic forms and adding new Fields on the fly. For example, checking a CheckBox might submit the Form to the server which could add another Field to the Form and show the updated Form to the user. In this case we might not want to validate the the Form because the user did not intend to submit the Form. You can read more about it here[1].
You do raise a good point that this can be abused by an attacker. What we could do is for Form#isValid() to return false if #isBypassValidation is true. Interested in hearing your and others thoughts on this. Also if you don't mind opening a JIRA[2] on this. Kind regards Bob [1]: http://click-framework.blogspot.com/2010/09/apache-click-220-dynamic-form.html [2]: https://issues.apache.org/jira/browse/CLK On 4/11/2010 07:02, Moritz Kammerer wrote: > Hey Click users, > > can anyone tell me why the bypass_validation flag has been implemented? > > In my opinion this opens a big security hole, because the form is > considered valid, but the validators haven't been run... > > Moe >
