Grails

bindData has the option to explictly "include" and "exlude" fields from binding, however this not documeted

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: 1.0.4
  • Fix Version/s: 1.2 final
  • Component/s: Documentation
  • Labels:
    None

Description

The current documentation only state how to exclude fields.

E.g.

bindData(sc, params, ['myReadOnlyProp'])

But the other way around - defining which fields to include - is also possible but not documented. From a security point of view this is a much better approach.

This can be done by:
bindData(sc, params, [include: ['property1', 'property2']]) // will only bind prop1 and 2 but not other properties on the request
bindData(sc, params, [exclude: ['property3', 'property4']]) // will not bind prop3 and 4 but other properties on the request will be binded

Sections to update in the documentation:
http://grails.org/doc/1.0.x/ref/Controllers/bindData.html
http://grails.org/doc/1.0.x/guide/6.%20The%20Web%20Layer.html#6.1.6%20Data%20Binding --> paragraph Data Binding and Security concerns

Issue Links

This issue relates to:
GRAILS-998 Refactor bindData to remove 3 param form with "excludes" list and replace with 3 param form that takes Map as 3rd param with "includes" and "excludes" support Critical Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Dominic Clifton added a comment -

Additionally, and I'm not sure if this is a bug or intended behavior, it's NOT possible to include or exclude associations using the include: or exclude: map keys.

e.g. You want to disallow modification of the address assigned to the person:

class Person {
Address address
String name
Date createdAt
}

class Address {
String Line1
String Line2
}

...

If you update the scaffolded code in the PersonController's update action closure from:

personInstance.properties = params
to:

bindData(personInstance, params, [include: ['name']])

or:

bindData(personInstance, params, [exclude: ['address.id']])

the person.address property's id field is updated if changed using the drop-down form control.

I would also like to be able to do this:

bindData(personInstance, params, [exclude: ['createdAt', 'address.id']])

that is: disallow changes to the person instance's createdAt timestamp and the address associated with it.

If it's possible, it should be documented, if it's not it should be implemented or if there's another preferred way please tell us.

Show
Dominic Clifton added a comment - Additionally, and I'm not sure if this is a bug or intended behavior, it's NOT possible to include or exclude associations using the include: or exclude: map keys. e.g. You want to disallow modification of the address assigned to the person: class Person { Address address String name Date createdAt } class Address { String Line1 String Line2 } ... If you update the scaffolded code in the PersonController's update action closure from: personInstance.properties = params to: bindData(personInstance, params, [include: ['name']]) or: bindData(personInstance, params, [exclude: ['address.id']]) the person.address property's id field is updated if changed using the drop-down form control. I would also like to be able to do this: bindData(personInstance, params, [exclude: ['createdAt', 'address.id']]) that is: disallow changes to the person instance's createdAt timestamp and the address associated with it. If it's possible, it should be documented, if it's not it should be implemented or if there's another preferred way please tell us.
Hide
Permalink
Dominic Clifton added a comment -

http://jira.codehaus.org/browse/GRAILS-3440 seems to be related

Show
Dominic Clifton added a comment - http://jira.codehaus.org/browse/GRAILS-3440 seems to be related
Hide
Permalink
Jean-Noël Rivasseau added a comment -

Also running into this. It seems bindData is completely broken as soon as there are associations / collections. This is very bad as it can have dramatic security implications. I may try to put up a reproducable app soon.

Show
Jean-Noël Rivasseau added a comment - Also running into this. It seems bindData is completely broken as soon as there are associations / collections. This is very bad as it can have dramatic security implications. I may try to put up a reproducable app soon.
Hide
Permalink
Dominic Clifton added a comment -

I'm running into this quite a lot now and it could really do with being fixed/implemented asap.

What happens if you have a self referencing domain object with a 'parent' field? If it's possible to supply "params.parent.parent.parent.someProperty=somevalue" that'd also be pretty bad, we should at least be able to specify "exclude: ['parent']" to exclude the parent association.

Show
Dominic Clifton added a comment - I'm running into this quite a lot now and it could really do with being fixed/implemented asap. What happens if you have a self referencing domain object with a 'parent' field? If it's possible to supply "params.parent.parent.parent.someProperty=somevalue" that'd also be pretty bad, we should at least be able to specify "exclude: ['parent']" to exclude the parent association.
Hide
Permalink
Graeme Rocher added a comment -

There is no scope / time to resolve these remaining lower priority issues for 1.2 so moving to 1.3

for 1.2 final only issues considered blocking will now be fixed

Show
Graeme Rocher added a comment - There is no scope / time to resolve these remaining lower priority issues for 1.2 so moving to 1.3 for 1.2 final only issues considered blocking will now be fixed
Hide
Permalink
Graeme Rocher added a comment -

Assigning all documentation related issues to 1.2 final since they don't represent a change to the codebase

Show
Graeme Rocher added a comment - Assigning all documentation related issues to 1.2 final since they don't represent a change to the codebase
Hide
Permalink
Graeme Rocher added a comment -

I've updated the documentation for this here: http://github.com/grails/grails/commit/8302a13ecfef44d019fafd51100c08f683336cac

Also the bug where include/exclude didn't work for associations is now fixed as of 1.2 RC2

Show
Graeme Rocher added a comment - I've updated the documentation for this here: http://github.com/grails/grails/commit/8302a13ecfef44d019fafd51100c08f683336cac Also the bug where include/exclude didn't work for associations is now fixed as of 1.2 RC2

People

Vote (2)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.1#660-r161644) | Report a problem
Powered by a free Atlassian JIRA open source license for Grails project. Try JIRA - bug tracking software for your team.