CODEWITHSUNDEEP
securityformswicket
Eduardo Costa
Eduardo Costa

Reputation: 1994

Wicket security against forged requests

If I hide and disable a Wicket form, do I need to double-check the visibility conditions in my onSubmit? (Just like we do in JS validation versus Server validations?)

Consider this Wicket snippet:

public class TestPage extends WebPage {
    public TestPage() {
        boolean editable = checkIfUserCanEdit();
        add(new TestForm()
                .setEditable(false)
                .setVisible(false));
    }
}
public static class TestForm {
    ...
    public void onSubmit() {
        if (!checkIfUserCanEdit()) abort(); // Is this necessary?
        ...
    }
}

Do I need the "revalidation" in my onSubmit?

Upvotes: 2

Views: 118

Answers (1)

mfunk
mfunk

Reputation: 180

Looking at the call hierarchy of onSubmit() one comes across

protected void delegateSubmit(IFormSubmitter submittingComponent)
[...]
    public void component(Form<?> form, IVisit<Void> visit)
    {
        if (form.isEnabledInHierarchy() && form.isVisibleInHierarchy())
        {
            form.onSubmit();
        }
    }
[...]

Given that I'd say, no need to protect any further.

Upvotes: 2

Related Questions