>../myApp/viewUserDetails.do?methodToCall=edit&userid=1, it >goes to Edit User page. so whats wrong with that? even if you are using \'hidden\' fields you will retrieve them as request.getParameter(). If you dont pass the hidden field but just type it in the url then also it will work.
If you are worried that user with userid 1 might be able to see edit page for user with userid 20 by just changing the url(/myApp/viewUserDetails.do?methodToCall=edit&userid=20) then really your action should be checking whether logged in urerid matches userid coming from request.getParameter() or whatever logic your application requires... On 2/20/08, Dave Newton <[EMAIL PROTECTED]> wrote: --- \"semaj.najraham\" <[EMAIL PROTECTED]> wrote: > > How do I allow only POST form submission? Do I need to check on each Struts > > Action method request.getMethod() is POST? If that\'s true, then I\'m > > screwed. I will need to make changes on all my action classes. > > If you actually *care*, then yes, you\'d need to implement that across the > application somehow. There are several ways you could go about this, > including creating a custom request processor (which could be combined with a > struts configuration property, marker interface, or whatever), implement an > action sub-class (that\'s what I always used to do, IIRC), or put it in each > action, or... > > I seriously doubt that you\'re \"screwed\" to any great degree. > > Dave > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
