Uploaded image for project: 'Spring Roo'
  1. Spring Roo
  2. ROO-1031

<form:update should not expose id to avoid manipulation

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 1.1.0.M1
    • Fix Version/s: 1.1.0.M2
    • Component/s: WEB MVC
    • Labels:
      None

      Description

      The update views built by roo hold an hidden input field that has the id of the persistent object.

      <input type="hidden" value="6" name="id" id="_id_id">

      It is easy to change the value of this hidden field and so you can manipulate other entities.

      If there is no out-of-the-box solution, maybe it is an good improvement to obfuscate the id to make manipulation more difficult and still relate on stateless controllers.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sschmidt Stefan Schmidt
              Reporter:
              elmarkretzer elmar kretzer
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: