Paul Benedict wrote:
The problem isn't that Struts allows the user to cancel an action, but that
EVERY action can be
cancelled.
Understood...
This problem is heavily felt by GET requests because URLs are easy to mangle...
and parameters can
be added ad-hoc. I can take any action I use for a GET, add the CANCEL
parameter to it, and then
bypass all the validation I worked very hard to code :-)
Hmm, maybe I don't understand the problem... as I understand it, cancel
essentially has no effect on anything in Struts unless you manually
check for it and act accordingly, correct? Or are you saying that
everything happens *except* validation?
In either case, wouldn't using Ted's suggestion in all your Actions
alleviate the problem? If so, I agree that's not an optimal situation,
so having the framework do that *before* form population or validation
would seem right to me.
Am I misunderstanding?
I think this is an obvious bug: cancellations make sense during form driven
input (or across many
forms like a wizard), but cancelling with a link? Sure it could be useful but
not in any
applications I am dealing with.
I would agree, it does seem a pointless capability. But I don't think
it would be smart to remove something because it doesn't seem useful, so
it needs to be made to work in a way that is reasonable I think is all.
It's not so much a matter of finding a "cancel" forward. The problem is actions
should control if
they CAN be cancelled so their validation isn't bypassed. To me, this is a
security concern and I
think should be given a fix.
That's the part I guess I'm not clear on... how is validation bypassed?
Is that *ALL* that is bypassed, or is form population bypassed too?
Paul
Frank
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
