Well, i actually end up doing the update only on the required fields on my ejb layer. This way, i don't need to worry about the exposure of the ActionForm fields.
--- "Freddy Villalba A." <[EMAIL PROTECTED]> escreveu: > Hi, > > > I believe you shouldn't abuse neither from the MVC > pattern or the Struts' > framework. All the issues regarding buyer's actions > as well as seller's are > part of an specific area: workflow management. > > Implement a basic WF Management subsystem (or > integrate one into your > application), define the roles (buyer / seller / > whatever...), the actions > (along with the corresponding pre- and post-), the > nodes, etc... and yes, > have your presentation layer (Struts) integrate with > it. I know it's not > simple or cheap... yet, I'm almost convinced that, > at the end, it would've > been a good investment for you and your project. > > Save yourself from trying to convert Struts into an > all-mighty-god-who-knows-and-solves-everything tool. > > For me, that's the bottom-line for all these issues. > > Again, just my oppinion. HTH. > > Cheers, > Freddy. > > > -----Mensaje original----- > De: David Suarez [mailto:[EMAIL PROTECTED] > Enviado el: viernes, 15 de octubre de 2004 17:06 > Para: [EMAIL PROTECTED]; Struts Users Mailing List > Asunto: RE: Exposing ActionForm and MVC fields > > > How about creating a hash/digest when you send the > page down with your > read-only fields and save it to session/hidden (you > know the +/-), then > compare it on the re-submit to see if any of the > values have changed. > If so, throw SecurityException or something similar? > > Would that work for you...djsuarez > > -----Original Message----- > From: Lee Harrington [mailto:[EMAIL PROTECTED] > Sent: Friday, October 15, 2004 8:52 AM > To: Struts Users Mailing List > Subject: Re: Exposing ActionForm and MVC fields > > > In this case, i`m still suceptible to be > > hacked by javascript, because of the ActionForm > fields > > exposure. > > What about that??? > > Different actions. I'd reccomend a dispatch action > class...with > different methods depending on whether the buyer or > seller submitted. > That way, in the seller method, even if they did > hack the submit form > you action would not be doing anything with those > fields. > > Lee > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: > [EMAIL PROTECTED] > For additional commands, e-mail: > [EMAIL PROTECTED] > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]