I've been wondering something for a little while now. Some of the crud style links in my app use 'h:commandLink', with 't:updateActionListener' to set the particular element id value for that page. In days past I'd put the id on the query string, so like ...
/app/DetailPage.do?itemId=1234 Now, obviously, you had to be careful because somebody could change the id value manually. With JSF, using t:updateActionListener, can somebody change the id value sent? If I'm 100% sure they couldn't, I could relax the access checking a little. Most of these links are in t:dataTable's, with preserveDataModel="true". If state is kept on the server, or encrypted on client (I think you can do that, right?), do I have to worry about the user getting access to something they shouldn't? Thanks in advance, -Kevin
