-1

Could you please give me some directions on how to pass values from disabled or readonly input fields in xhtml page to requestscoped bean?

  • I thought that I can bypass jsf checking the field state by disabling fields in javascipt code on form open and then submit form, but that did not help too.
  • I cannot use view scope, because I would have to set then almost
    every page in my application in view scope.
  • It is very inconvenient to use hidden fields for this purpose, because it would double the number of fields on the page.

Maybe I have missed some clean solution? Thank you in advance for any help.

Roman Ko
  • 3
  • 3

1 Answers1

0

Disabling fields using JavaScript didn't work probably because you didn't enable them just before sending a form. Values of disabled fields are not sent (see input documentation).

For example the following code works perfectly well:

<h:form>
    <h:inputText id="disabledinput" styleClass="disabled"
        value="#{someBean.property}"></h:inputText>
    <h:outputScript>
        $('.disabled').attr('disabled', 'disabled');
    </h:outputScript>
    <h:commandButton action="#{someBean.action}"
        onclick="$('.disabled').removeAttr('disabled'); return true;"
        value="Submit" />
</h:form>

onclick attribute executes JavaScript code that enables input just before sending the form.

If you use AJAX request you have to restore disabled state using oncomplete or similar.

The problem with this solution is that user can manipulate the value. E.g. she/he can use javascript console in a browser to change the input to enabled or use some tool (e.g. curl) to prepare or tamper request. So if the value is sensitive or should never be changed by the user consider storing the value in the session.

IMHO if the value was provided by the user in one of the previous steps then it doesn't matter that much. However, if value is calculated (like total value or something) you should not depend on its value as users could change it. Personally I would prefer to store the value on server side (in session or in flash).

Community
  • 1
  • 1
Dawid Pytel
  • 2,750
  • 1
  • 23
  • 30
  • Thank you, Dawid. I will certainly try to use enabling inputs just before submit. But what to you mean by "anyone can manipulate the value"? Is there a security risk that user can somehow change and submit the values which he should not? – Roman Ko Dec 25 '14 at 20:36
  • Here is what have been working for me: function setDisabled(flag) { if(flag) { $('.ui-state-disabled').prop('disabled',true); } else { $('.ui-state-disabled').prop('disabled',false); } } setDisabled(true); – Roman Ko Dec 26 '14 at 21:44
  • You didn't mention that you use Primefaces. Because Primefaces `p:commandButton` uses AJAX requests by default then you should obviously restore disabled attribute of the input as you did. I edited my answer to reflect that. Regarding possible threats I also described ways how a user can manipulate "disabled" value. – Dawid Pytel Dec 27 '14 at 21:20
  • I would prefer to store values on server side too but if not the one no: there are many pages with many fields, also planned to be > 10 concurrent users, so it will consume very much memory if store values in session or in view scopes. But, your answer about sending disabled field values with the help of javascript code and the downside of using this technic is very valuable for me. I would certainly vote this answer up if the stackoverflow allow it for new users. Thank you for help. – Roman Ko Dec 28 '14 at 17:41
  • @RomanKo do not leave the question without accepted answer. If my answer solves the problem (and IMHO it does, especially after my edits) please accept it. If you have better solution please describe it so that others can use it. – Dawid Pytel Jan 04 '15 at 20:27