Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

why setDisallowedFields for id? -- Spring petclinic example

From the Spring API, i understood that @InitBinder is used to initialize some binding rules..

In the petclinic example why we have setdisallowed("id")? when the id is not displayed on the form?

@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
    dataBinder.setDisallowedFields("id");
}

The id field is not displayed on the web page then why we are using the above code?

can we have some thing like this:

@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
    dataBinder.setDisallowedFields("FirstName");
}

as per the above code the first name field of the owner object will not be set though user enters on the form? Is that correct?

link for the source

like image 440
javanoob Avatar asked Sep 27 '10 06:09

javanoob


1 Answers

Because it can still be submitted if the end-user modifies the page or the request (for example using FireBug). Thus he can inject values into your bound object even if you don't want this.

like image 77
Bozho Avatar answered Oct 25 '22 14:10

Bozho