Hmm nasty, thinking quickly, I'd guess you have three options:I finally managed to address that problem - I didn't had time the last few days.. All solutions I thought about before were quite unsatisfying. I resolved the issue by applying a additional filter on each action. It wraps the request in a new RequestWrapper, which filters all parameters based on a xml-based access list as the example below.
1. pass the username to the form (dangerous as it's easy to hack)
2. don't display fields the user can't set (again easy to hack)
3. have two copies of the form, one in a session, one in the request. On submission, copy the fields from the request form to the session form if the user has permission to set them, otherwise ignore any changes to the field.
Better still, do 2 and 3.
<form-beans>
<form-bean name="editUserForm">
<form-property name="uid" read="self,admin"
write="userAdmin"/>
<form-property name="password" read="self,admin"
write="self,userAdmin"/>
...
</form-bean>
</form-beans>I'm using the same structure to display/disable the apropriate formfield (read only means = form will be disabled). If the user doesn't have access to a formfield, the parameter gets replaced by it's original value (taken from a copy of the bean in the session). That added another "line of defense" to my app.. :)
Thanks, Arne Brutschy
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
