Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.4.2
    • Security Level: Public (Public: Anyone can view)
    • Labels:
      None
    • Rice Module:
      KRAD
    • Sprint:
      2.5.0-m3 Sprint 1, 2.5.0-m3 Sprint 2
    • KAI Review Status:
      Not Required
    • KTI Review Status:
      Pending Review
    • Code Review Status:
      Not Required
    • Include in Release Notes?:
      Yes

      Description

      The first pain point is having to add @MethodAccessible to all controller methods that can be invoked via get requests. The reason for this is we only have information about valid methods on a post, and therefore need to be told a method was ok on a get. However, this is redundant. In order for a controller method to be accessible, Spring requires you to add the RequestMapping annotation, which can then be restricted to get methods. So I am purposing we don’t check get requests at all (just posts), and rely on the Spring RequestMapping to provide the same level of security. Keep in mind once we have the ‘Use Screen’ permission these get methods can be restricted to a role, and if the method is requesting a view, document, or other asset the usual KIM permissions apply.
      The second paint point is again on get requests, but with binding of parameters to the form. Again, we only have information about valid binding properties on a post, so we require a property be marked as accessible if it will be populated on a get. Currently you add a RequestAccessible annotation, which can then be restricted to just get methods. But this opens up the binding for all get requests. There is more discussion on this problem from the KS devs here:
      https://docs.google.com/a/kuali.org/document/d/1k8iIfigFMsShSMOA2wg7ze-iBGgxUB5j5B19Gv17qV0/edit#
      One thing we can do is allow the RequestAccessible to be associated with a mapping. If everyone is following the methodToCall convention, we can simply add methodToCall as a param on the annotation:

      @RequestAccessible(methods=HttpMethod.GET, methodToCall=”show”)
      private String termCode;

      This would only bind the property if the request was a get, and the methodToCall parameter was “show”. If needed, we can add other mapping parameters that Spring supports.

      Also, look into not requiring @MethodAccessible for custom post methods. This could be done by keeping track of what methods are available from the view configuration (not just rendered), and if the method is outside that list allow it to be invoked.

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              nigupta Nisha Gupta (Inactive)
              Reporter:
              jkneal Jerry Neal (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - 1 day
                1d
                Remaining:
                Remaining Estimate - 1 day
                1d
                Logged:
                Time Spent - Not Specified
                Not Specified