Hello, I am not sure how to deal with the problem that a user can pass own parameter values to the action class by changing the URL if there are setters provided.
For example I often have a hidden field in a form that stores the ID and the action class provides a getter and a setter. But the user can change the ID by modifying the URL (just adding "?id=42"). The problem is that this way he might access IDs that are not meant to be seen by him, they might belong to other users. I cannot see a good solution for that. A permission system just to check if the user is allowed to see this ID seems to be quite an overhead to me. Whereas storing the ID in the session is not very handy and I have to take care that they are removed safely. I am pretty sure that there is a good solution for that, I would be very grateful for any hints! Best, Anton
signature.asc
Description: OpenPGP digital signature
