Page tree
Skip to end of metadata
Go to start of metadata
Your Rating: Results: 1 Star2 Star3 Star4 Star5 Star 130 rates

GREYChange how RenderingModel instances are populated on renderingGREY

Currently, when rendering, RenderingModel instances are populated with request parameters. That is, if the model has a setFoo(String) method, it will be called with the value of the foo request parameter.

Proposed change:

  • Keep the current behavior for models with no annotations, simply for backwards compatibility
  • support 2 new annotations, perhaps similar to the jax-rs annotations:
    • @QueryParam - this field is set from request parameters
    • @ContentProperty - this field is set using the value of a corresponding property on the content node being rendered.

Annotations names to be thought about / improved.

4 Comments

  1. The @QueryParam would be an important security enhancement. At the moment any model setter can be called just by adding a url-parameter to the request. That isn't very secure. The @QueryParam would be an excellent improvement.

    Is it implemented?

  2. 2 Thumbs up for the @QueryParam annotation. As mentioned I think this would be a very worthwhile improvement from the point of view of security.

    My Vote for the way the Annotation should work is something like this:

    @MgnlParam([<httpmethod>],[<typehandler>])
    public void setFoo(String foo){
    ...
    }

    <httpmethod> would be an optional String (or enum) parameter identifying the type of request the parameter is valid for (typically GET or POST or both)

    <typehandler> would be an optional Class parameter identifying a Class that implements a "TypeHandler" interface for converting the request parameter to the setter method's argument type. Maybe based on org.apache.commons.beanutils.Converter, or something similar.

  3. PS: I don't like "QueryParam" because of potential confusion with JCR Queries or other types of Queries. "RequestParam" or "MgnlParam" I like better.

    1. @QueryParam was suggested, or should I say largely inspired!, by the JAX-RS annotations.
      Unfortunately no progress done at this stage that I know of.
      If you'd like to take a stab at this, the renderers is where it's at. I'd venture that one could come up with an alternative Renderer implementation that takes care of this, btw (smile)