Uploaded image for project: 'Spring Roo'
  1. Spring Roo
  2. ROO-1031

<form:update should not expose id to avoid manipulation

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • 1.1.0.M1
    • 1.1.0.M2
    • WEB MVC
    • None

    Description

      The update views built by roo hold an hidden input field that has the id of the persistent object.

      <input type="hidden" value="6" name="id" id="_id_id">

      It is easy to change the value of this hidden field and so you can manipulate other entities.

      If there is no out-of-the-box solution, maybe it is an good improvement to obfuscate the id to make manipulation more difficult and still relate on stateless controllers.

      Attachments

        Issue Links

          Activity

            People

              sschmidt Stefan Schmidt
              elmarkretzer elmar kretzer
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: