Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Each of OgnlRuntime.getMethodValue(), OgnlRuntime.setMethodValue(), OgnlRuntime.getFieldValue() have an overload that indicates whether to check access using the context's MemberAccess. But OgnlRuntime.setFieldValue() does not have this overload, and never performs any access check. Thus, ObjectPropertyAccessor.setPossibleProperty() will not honour the MemberAccess when setting the value of a member field.
AFAICT this bug is still in the CVS head.