Description
I have the following form that change the forward path to /bar.jsp
<netui:form action="submit">
<netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
<netui:button value="submit" />
</netui:form>
I also have the following action in my page flow.
@Jpf.Action(
forwards=
)
protected Forward submit(Form form)
If the current page is index.jsp, this should navigate back to that, when the form is submitted it will navigate to bar.jsp. In my mind this is actually a security hole. I can dynamically change the navigation externally in this situation. I haven't played around with the other exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the same JavaBean that is not immutable.
I'm going to open a Jiri bug on this. I think this is critical and needs to be fixed now. My suggestion is that we rename these methods on the PageFlowController so they aren't picked up as JavaBean properties.
I suggest we do this to:
currentPageInfo
previousPageInfo
previousActionInfo
modeulConfig
actions
We need to spin a new release on this.