-
1. Re: Security on page parameter
damianharvey.damianharvey.gmail.com Aug 13, 2008 6:55 PM (in response to gus888)What if the user is changing it to a valid ID that they have used before?
You are much better off validating the ID in the method that the pages.xml calls via the param. Then you can check whether the user is authorised to view this entity as well as checking that the ID is a valida format.
I went down the datamodel approach to stop users fiddling with IDs and now regret it.
My 2 pence anyway.
Cheers,
Damian.
-
2. Re: Security on page parameter
gus888 Aug 13, 2008 7:11 PM (in response to gus888)Hi Damian,
It depends. If you allow users to input a valid ID that they have used before, you can ignore the urlChanged-view-id attribute. The same case is the no-conversation-view-id attribute. Generally, no users try to input database primary key to get their information. Yes, we can add id validation for each id, but it needs a lot of database connection. Importantly, this id validation is unnecessary, since when a list data are retrieved from database, they are already validated. Now when you try to view their individual, you validate it again?
-
3. Re: Security on page parameter
damianharvey.damianharvey.gmail.com Aug 13, 2008 7:17 PM (in response to gus888)Yep. Validate it again. You shouldn't be trusting the client (browser).
I'm not sure how'd you'd even try to implement your urlChanged thingy. What if someone bookmarks a page?
-
4. Re: Security on page parameter
gus888 Aug 13, 2008 7:46 PM (in response to gus888)
Damian Harvey wrote on Aug 13, 2008 19:17:
I'm not sure how'd you'd even try to implement your urlChanged thingy.I think Seam team may have idea to implement this attribute, if they think this attribute is reasonable and necessary, like Facebook site.
For some sensitive page, it will not allow to be bookmarked.
Damian Harvey wrote on Aug 13, 2008 19:17:
What if someone bookmarks a page? -
5. Re: Security on page parameter
gus888 Aug 13, 2008 7:57 PM (in response to gus888)What if someone bookmarks a page?
Hi Damian, I think if uses bookmark this page, system should automatically redirect to urlChanged-view-id="/mygroupList.seam". Thanks.