Grails
  1. Grails
  2. GRAILS-8678

Controller classes allow you to change data in the database through fraudulent requests

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Not A Bug
    • Affects Version/s: 1.3.7
    • Fix Version/s: None
    • Component/s: Controllers
    • Labels:
      None
    • Environment:
      Windows Vista - STS 2.8.1

      Description

      Suppose your system has the following domain classes: User and Product.

      User

      • String name
      • String address

      Product

      • String name
      • String description
      • User owner <== One to Many Relationship Between User and Product

      To create a new product for the owner with id = 1, you can submit the following request:

      http://localhost:8080/aplicationName/product/create?owner.id=1

      But, if you submit the following request, you will be able to change the name of the User with id = 1

      http://localhost:8080/aplicationName/product/create?owner.id=1&owner.name=newName

      -------------------------------------------------- ----------------------------------------------

      Now suppose the existence of another class named Client.

      Client

      • String name
      • String address

      If you submit a POST request similar to the URL below, you will be able to change data in the client table.

      http://localhost:8080/aplicationName/product/save?name=TV Samsung&description=Very good&client.id=1&client.name=newName

      I know that the request above is a GET request, but submitting a POST request with these request parameters (client.id=1&client.name=newName) you will be able to change the name of the client with id=1.

      This same behavior occurs with the update action.

      On my system i solved this problem using the method discard() on the objects that should not be changed, but I think you need to take care of this problem urgently.

      Thanks,
      Carlos Ribeiro

        Activity

        Hide
        Jeff Scott Brown added a comment -

        This doesn't look like a bug.

        Show
        Jeff Scott Brown added a comment - This doesn't look like a bug.
        Hide
        Carlos Ribeiro added a comment -

        Not a Bug? It was fixed in Grails 2.

        Show
        Carlos Ribeiro added a comment - Not a Bug? It was fixed in Grails 2.
        Hide
        Jeff Scott Brown added a comment -

        Who fixed it?

        Show
        Jeff Scott Brown added a comment - Who fixed it?
        Hide
        Jeff Scott Brown added a comment -

        I don't think the behavior described in the description is a bug and I am not sure what might have been fixed about it. Anyone?

        Show
        Jeff Scott Brown added a comment - I don't think the behavior described in the description is a bug and I am not sure what might have been fixed about it. Anyone?
        Hide
        Carlos Ribeiro added a comment -

        ok, perhaps not a bug, but a not desired characteristic. In Grails 2 this characteristic does not exist anymore.

        Show
        Carlos Ribeiro added a comment - ok, perhaps not a bug, but a not desired characteristic. In Grails 2 this characteristic does not exist anymore.

          People

          • Assignee:
            Unassigned
            Reporter:
            Carlos Ribeiro
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development