Yes, that would be great. And maybe logging for the adnin to know to
watch the user :)
-Matej
Johan Compagner wrote:
ahh ok
tampering with urls.. just trying them out and see if you hit a component
Ok but then throw an exception/return a forbidden status.
johan
Matej Knopp wrote:
Let me make an example. In the app I'm working on I (as user) have my
POJOs - Assignments. Then looking at my assignment, I can edit them,
etc. Wheen looking at someone else assignments (yes, this is possible
and desired behavior), the edit links are hidden (but they are other
visible (allowed) actions.
Then I just nned change the page id in URL of my edit link to become
able to edit someone else's assignment.
I'm not sure if I've written it cleanly enough, but hope it's obvious
that it's a clean security problem.
-Matej
Johan Compagner wrote:
redirect to the same page as you where on?
So the just directly redirect to the invoker page if a component that
is invisible (or one of the parents)
But maybe developers or users get completely confused then..
And how is it possible that you get a url to an invisible component?
Who generated that url in the first place? (can't be the component
because that one was invisible so couldn't generate itself)
johan
Matej Knopp wrote:
The easiest would be to do nothing. Do as normal, just ignore the
action. So if put in a url that would trigger action on invisible
component, I would just get redirected to
appName?component=X&interface=IRedirectLitener,...etc
Another one would be displaying an error page (like expired page).
But I think the first one is a better (and simpler) solution, but
that's only my opiniton (and it's more a feeling than an opinion :))
-Matej
Eelco Hillenius wrote:
Hmmm. Sure looks like an unwanted backdoor. I agree we should fix
this. What do you think would be the proper action to take when
Wicket regconizes that an invisible component is called?
Eelco
Matej Knopp wrote:
Hi. I'm using wicket 1.0 and I just realized, that it is possible
to invoke action (ILinkListener, etc) on an invisible component.
Is this intentional?
Because in my application it causes problems. For example I've
page with my bean properties and several buttons to
edit/manipulate it. I show/hide these buttons according to current
user rights. But even if they are not visible, they can be invoked
through url very simply.
Can anything be done to prevent this?
I tried to alter this behavieor but didn't succeeded as every
method in WebRequest dealing with invoking is either private or
final. (I know it's a design decision and I accept it, no rambling
here :))
-Matej
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration
Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
