Hi Bob, returning always false when bypass_validation is active? That would fix the security problem, but it's a little bit strange.
I think a better approach is to disable the bypass_validation mechanism by default, and only enable it on demand. There must be a way to run the validators nonetheless. Here's the JIRA ticket: https://issues.apache.org/jira/browse/CLK-726 Thanks and kind regards, Moe Am 03.11.2010 23:05, schrieb Bob Schellink: > Hi Moritz, > > The use case for bypass_validation is for working with dynamic forms and > adding new Fields on the > fly. For example, checking a CheckBox might submit the Form to the server > which could add another > Field to the Form and show the updated Form to the user. In this case we > might not want to validate > the the Form because the user did not intend to submit the Form. You can read > more about it here[1]. > > You do raise a good point that this can be abused by an attacker. What we > could do is for > Form#isValid() to return false if #isBypassValidation is true. > > Interested in hearing your and others thoughts on this. > > Also if you don't mind opening a JIRA[2] on this. > > Kind regards > > Bob > > [1]: > http://click-framework.blogspot.com/2010/09/apache-click-220-dynamic-form.html > [2]: https://issues.apache.org/jira/browse/CLK > > > On 4/11/2010 07:02, Moritz Kammerer wrote: >> Hey Click users, >> >> can anyone tell me why the bypass_validation flag has been implemented? >> >> In my opinion this opens a big security hole, because the form is >> considered valid, but the validators haven't been run... >> >> Moe >> >
