Okay, that is something I expected. But can you please explain, why wouldn't you use validator for this? It seems to be a good way to encapsulate certain functionality and if it can't be bypassed, there're no security issues also. Still, you'd use a check in onSubmit().
I'm just trying to understand if I maybe missing something here :) On Fri, Jun 6, 2008 at 9:43 PM, Sven Meier <[EMAIL PROTECTED]> wrote: > Well, if your validator doesn't approve the entered password your form will > never accept the submit. > There's no way to bypass the validation. > > I'd prefer to check a password in onSubmit() though - but YMMW. > > Sven > > Sergey Podatelev schrieb: > > Hello, >> >> I'm wondering, how safe is it to use a custom validator to check current >> password of the logged-in user, when he wants to change his password (say, >> on a profile page)? >> Are there are any potential security issues that can allow user to pass a >> validation? >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > -- sp
