In my controller postprocessor, I would like to add an event that sets the a
list of companies that the user can access. I.e. if the user is an external
user, I only want them to have access to their own data.
companyCodeList = // lookup in db based on userLoginId
Security security = (Security)request.getAttribute("security");
if (security.hasPermission("INTERNAL_STAFF", request.getSession())) {
request.removeAttribute("companyCodeList");
} else {
request.setAttribute("companyCodeList", companyCodeList);
}
In the entity condition for the form:
<condition-expr field-name="companyCode" operator="in"
value="${parameters.companyCodeList}" ignore-if-empty="true"
ignore-if-null="true"/>
It seams that it is possible for malicious users to try to override this by
adding http parameters, e.g.
http://localhost/myapp/control/something?companyCodeList=ABC
What is the recommended way of passing data from my controller event without
using parameters?
Many thanks in advance,
Chris
--
View this message in context:
http://www.nabble.com/security---http-parameters-override-setAttributes--tp23228799p23228799.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
