Created
March 6, 2012 00:50
-
-
Save acreeger/1982541 to your computer and use it in GitHub Desktop.
A potential addition to the Grails framework to promote secure data binding.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Crucially, a class with an empty or missing dataBindable property would not be processed at all by bindData or other batch updating mechanisms. This is a harsh breaking change, but makes it clear that the developer must think about security. Since it is a breaking change, there should be a configurable "legacy mode" that could be configured to "true" to enable old behavior for all objects, or it could also be configured to a list of classes or namespaces to enable gradual migration. "dateCreated" and "lastUpdated" should never be updated via bindData or similar. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class User { | |
| //Fields listed here would not be processed bindData, or new User(params) | |
| static dataBindable = ["username", "firstName", "lastName"] | |
| String username | |
| String firstName | |
| String lastName | |
| boolean isActive = false | |
| int failedPasswordAttemptCount = 0 | |
| Date dateCreated | |
| Date lastUpdated | |
| static constraints = { | |
| //strict constraints go here | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment