[
https://issues.apache.org/jira/browse/MYFACES-4180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16313064#comment-16313064
]
Paul Nicolucci commented on MYFACES-4180:
-----------------------------------------
There are three methods for getting views:
1) ResourceHandler.getViewResources(...) -> This uses the ResourceVisitOptions
and we can determine to return meta-inf/web-inf depending on the value.
2) ViewHandler.getViews(...) -> This just calls through to
ViewDeclarationLanguage.getViews(...):
{code:java}
Override
public Stream<String> getViews(FacesContext facesContext, String path, int
maxDepth, ViewVisitOption... options)
{
Stream concatenatedStream = null;
for (ViewDeclarationLanguage vdl :
_vdlFactory.getAllViewDeclarationLanguages())
{
Stream stream = vdl.getViews(facesContext, path, maxDepth, options);
if (concatenatedStream == null)
{
concatenatedStream = stream;
}
else
{
concatenatedStream = Stream.concat(concatenatedStream, stream);
}
}
return concatenatedStream == null ? Stream.empty() : concatenatedStream;
{code}
3) ViewDeclarationLanguage.getViews(...) -> This calls through to the
ResourceHandler.getViewResources(...) and passes TOP_LEVEL_VIEWS_ONLY which
with our fix will prevent views within meta-inf/web-inf from being returned.
{code:java}
/**
*
* @since 2.3
* @param facesContext
* @param path
* @param maxDepth
* @param options
* @return
*/
public Stream<java.lang.String> getViews(FacesContext facesContext, String
path,
int maxDepth, ViewVisitOption... options)
{
// Here by default we follow what spec javadoc says
// "...This method works as if invoking it were equivalent to
evaluating the expression:
// getViewResources(facesContext, start, Integer.MAX_VALUE,
options) ..."
// The problem here is ViewVisitOption != ResourceVisitOption. But
whatever return
// getViews must always have TOP_LEVEL_VIEWS_ONLY, because otherwise it
will return
// everything (css, js, ...). There is
ViewVisitOption.RETURN_AS_MINIMAL_IMPLICIT_OUTCOME,
// but this is a filter on top of the stream.
return
facesContext.getApplication().getResourceHandler().getViewResources(
facesContext, path, maxDepth,
ResourceVisitOption.TOP_LEVEL_VIEWS_ONLY);
{code}
So in summary I think we are ok here. We can only get to web-inf/meta-inf if we
call ResourceHandler.getViewResources and don't pass in the
TOP_LEVEL_VIEWS_ONLY parameter. This as far as I can tell is the same behavior
that is on Mojarra.
> ResourceVisitOption.TOP_LEVEL_VIEWS_ONLY behavior different between MyFaces
> and Mojarra
> ---------------------------------------------------------------------------------------
>
> Key: MYFACES-4180
> URL: https://issues.apache.org/jira/browse/MYFACES-4180
> Project: MyFaces Core
> Issue Type: Bug
> Components: JSR-372
> Affects Versions: 2.3.0-beta
> Reporter: Paul Nicolucci
> Assignee: Paul Nicolucci
> Fix For: 2.3.0
>
> Attachments: MYFACES-4180.patch
>
>
> See the following dev discussion:
> http://mail-archives.apache.org/mod_mbox/myfaces-dev/201711.mbox/%3cof507ae5dc.a54b3314-on002581db.006603e5-852581db.00680...@notes.na.collabserv.com%3e
> We need to determine what updates we want to make here and how best to make
> them.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
