Adrian Crum wrote: > --- On Sat, 1/30/10, Adam Heath <doo...@brainfood.com> wrote: >> From: Adam Heath <doo...@brainfood.com> >> Subject: Re: svn commit: r904921 - in >> /ofbiz/trunk/framework/base/src/org/ofbiz/base: test/BaseUnitTests.java >> util/string/UelUtil.java >> To: dev@ofbiz.apache.org >> Date: Saturday, January 30, 2010, 6:46 PM >> Adrian Crum wrote: >>> The moral of the story is: developers shouldn't be >> allowed to write to the service context Map. If a service >> needs a Map for local storage, then it should create one. >> >> Maybe the service engine should make the map readonly, >> with >> Collections.unmodifiableMap? > > Yes, plus make get() method calls for parameters that are not defined in the > service definition throw an exception. It should be an error to try to > retrieve a parameter that is not in the service definition.
It gets more complex too. keySet() needs to be modified as well, values() needs to check if the found value is from a key that is actually allowed by the service, etc. I believe the service engine is allowed to pass a map to a service, where the map actually contains values other than those required; this might occur with SECA or some such. Actually, restricting get calls might be the wrong thing to do. That would change the contract that the Map interface gives for get. Map<K, V> says what keys are stored in the map, but get takes an Object parameter. So, I vote against this get restriction. > > > >
