Hi BJ,
What I'm trying to achieve is row level security when accessing an entity
consisting of legacy data. The data has a foreign key (companyCode). Each
userLoginId is assigned a list of company codes that they have permission to
view.
For the parameter overriding, my example was using an HTTP GET, but
companyCode's could be added by a malicious user using a HTTP POST call.
Either way, a malicious user can override the companyCodeList that was added
in my event using request.setAttribute("companyCodeList")?
Many thanks,
Chris
--
View this message in context:
http://www.nabble.com/security---http-parameters-override-setAttributes--tp23228799p23230043.html
Sent from the OFBiz - User mailing list archive at Nabble.com.
