Manipulating a disabled attribute in client side; does JSF test properly if component is disabled?

Question

Primefaces 3.5.10, Mojarra 2.1.21, Omnifaces 1.5

I am thinking about security issues.

I set the component attribute with the component.getAttributes() method. This method returns a HashMap with attributes. Is it safe to set the ("disabled", true)-pair in this map to disable the component (for example p:inputText-component)? I use it from an actionListener, (Phase 5 or 4) of jsf pipeline. So possibly it has implications for render phase only. But I could manipulate the disabled attribute from input method on the client and then post the manipulated values. Does the server make test if the component is disabled and rejects the changes ?

What is the best way to go ?

all components in panelGrid will be disabled:

xhtml:
<p:panelGrid>
  <my:component/>
  <p:input value=#{mybean.value} />
</p:panelGrid>

Bean:

for (UIComponent component : l) {
  component.getAttributes().put("disabled", true);

  recursion(....);
}

Answer 1

But I could manipulate the disabled attribute from input method on the client and then post the manipulated values.

Yes, the enduser could.

---

Does the server make test if the component is disabled and rejects the changes ?

Yes, JSF does it based on component tree state, not on the submitted value. So that part is safe. It does that by the way also for readonly and rendered attribtues.

See also:

• Why JSF saves the state of UI components on server?
• Which properties in a JSF backing bean can be set by a user?
• commandButton/commandLink/ajax action/listener method not invoked or input value not updated (point 5)