This project is read-only.

Does invisible also imply disable

Aug 29, 2012 at 10:33 AM

Hi

I just want to know, if I hide an action in nakedobjects does that imply that it is also disabled. ie if a user does a post to trigger an action that is hidden will the action still be performed?

Piro

Aug 29, 2012 at 10:48 AM

I'm pretty sure that if the user attempted to post to an action that was hidden - an error would be thrown and the action not made.  I know for sure that this is the case for the Restful Objects API, and therefore ought to be the same for Naked Objects MVC, which goes through substantially the same gateways.  But I can't say I've personally ever tested this scenario in MVC.

I assume this is really a security question i.e. you are concerned about a rogue user armed with a suitable tool -  not a genuine user, using it via the browser?

I will see if I can verify this more formally.   If you're in a position to simulate such an attempt, please do and report back.

Aug 29, 2012 at 10:52 AM

"I assume this is really a security question i.e. you are concerned about a rogue user armed with a suitable tool -  not a genuine user, using it via the browser?"

That is correct.

Aug 29, 2012 at 11:01 AM

Thinking about it further,  I was too hesitant with my first response.   If an action is hidden (whether that is via a [Hidden] attribute, a Hide method, or via authorization permissions) then the user cannot invoke that action -  even if they were to bypass the UI and interact directly with the server  -  because they will still be coming in through the Naked Objects reflector.

Aug 29, 2012 at 11:08 AM
XAT seem to confirm this as they throw an exception when trying to invoke a hidden action.
Aug 29, 2012 at 11:16 AM

Yes  -  same mechanism in action.  

For MVC I didn't yet try this out with a Post, but as a simpler example of the same thing:

1.  Select a menu action that has params  -  which will take you to the dialog.  

2.  Copy the URL from the browser.

3.  Hide that action and re-run the app (the menu action is not now there)

4.  Paste the copied URL into the browser and hit return.  You should get an error.  It's not necessarily a very helpful error message  -  but it does not need to be.  This is not guarding against a casual user error.  (And in fact you don't want to confirm to this rogue user that the Hidden action even exists).  N.B. This is all much more carefully defined in the RO spec  -  as to which type of error is returned  -  but the same mechanism is used for MVC.

Aug 29, 2012 at 11:35 AM
Perfect. Thanx much.