playframework - Play Form doesn't transfer omitted fields from data model -
i'm new play 2.3 , having lot of problem forms , info binding. here's scenario that's costing me lot of headaches:
i have model f.e. (annotations left out):
public class user extends model { public integer id; public string name; public string anyotherfield; } now have form in scala.view want able alter user's name:
@(userform: form[user]) @helper.form(action = routes.usercontroller.save()) { @helper.inputtext(userform("name"), '_label -> "name") } i phone call view in controller this:
form<user> userform = form.form(user.class).fill(myuser); homecoming ok(views.html.usermgmt.useredit.render(userform)); when user submits form i'm in controller that:
public static result save() { form userform = form.form(user.class).bindfromrequest(); user user = userform.get() } however, , comes big surprise: resulting user userform.get() has no fields filled other "name". no "id", no "anyotherfield". point in having info binding when resulting object totally useless farther processing? missing something?
if don't miss have write lot of boilerplate code in order databinding myself:
either manually assign changed fields real "user" object (which have re-fetch withinsave() first) or include hidden fields fields in model. in case improve not forget updating form if add together field model. please tell me i'm missing sth.!?
binding parameters manually (at to the lowest degree security point of view) best way go. imagine user model has field saves security-relevant information. illustration isadmin in simple model. if bind forms user class backend uses store info in database, attacker able create himself admin adding additional parameter save request.
the binding mechanism isn't meant used backend data-models. seems misunderstanding isn't described in documentation. i've filed bug 1 time because of security vulnerability developers made clear using backend models bind form info not way form binding should used. see bug-report details: https://github.com/playframework/playframework/issues/2358
playframework playframework-2.3
No comments:
Post a Comment