On 1/23/06, Rick Reumann <[EMAIL PROTECTED]> wrote: > > I supposed I should reply to this on the dev list but since this > thread is so long now I figured I'd add a bit more on the topic here. > I see Paul/Frank what the concern is, but I think the 'problem' needs > to be clarified a bit more. The problem, in my opinion, really only > occurs when someone is trying to go to an action through a URL and > they intentionally type in the canceled parameter which bypasses the > validation procedure. On an action where you do truly want to support > a cancelled operation, I believe Struts is handling things just fine. > Am I wrong here Paul? > > In other words, you definitely would want validation skipped on > actions where you are going to provide a cancel button. That's the > whole point of cancelling - to typically leave the form without having > completed it. You also would still want the execute method to process > so you could handle the 'isCancelled' and do any cleanup or other > things. I think on forms where you provide a Cancel everything works > fine. > > It's the fact that you can spoof a canceled to other actions by typing > in the URL that causes the potential problem. > > The solution I would like to see is if the canceled param is passed to > the Action, it tries to look for a "canceled" method in the Action. I > know this makes the Action like a DispatchAction but in this regard I > don't think the non-Dispatch folks would disapprove too much. In other > words, execute is never performed (not is a dispatch method performed) > only the 'cancelled' method is looked for. Validation is skipped as > usual for this cancelled method. This is better than having to use the > current "isCancelled" since you are never in the your Action's execute > or Action dispatch method. > > Another option might be to force an include in the action mapping of > 'canCancel=true' for Actions that are cancelable. That might be more > difficult to figure out how to handle though as far as the life-cycle > goes. I haven't thought that one through. > > What do you guys think about just making sure a "cancelled' method is > looked for when canceling?
I was trying to suggest the same thing in an earlier mail. My English must be very bad hihi Tamas
