2

I have created specific code that allow a user to load a dialog to specify some search criterias.

The code that call the dialog is

<i   class="fa fa-fw fa-dot-circle-o"
     onclick="PF('LoadLabelHomoVectoDialog').show();"
     />
<p:inputText
     id="CertificationCodeId"
     value="#{vC.postLabellingSearchCriteria.certificationCode}"
     readonly="true"
     />

The user click on icon and dialogbox is displayed. The user make some action in dialog, click on OK button and CertificationCodeId inputText widget is filled directly using Javascript. I can see specific value in it.

Then on main page (not more in dialog), I click on SEARCH button to start a new search using criteria value found in CertificationCodeId inputText widget.

If readonly attribute equal "false", the widget value is correctly transmitted to ViewController on server.

If readonly attribute equal "true", the widget value is NOT transmitted to ViewController on server.

I thought that readonly attribute is only to prohibit user input, but not to prohibit value to be transmitted to server.

What do I wrong ?

Is that a Primefaces issue ?

There exists a answer to my problem to Validate readonly components anyway on form submit that is disctinct from what is proposed !!! What is proposed is a duplicate of the link I propose :-)

schlebe
  • 3,387
  • 5
  • 37
  • 50
  • Possible duplicate of [Force JSF to process, validate and update readonly/disabled input components anyway](https://stackoverflow.com/questions/32390081/force-jsf-to-process-validate-and-update-readonly-disabled-input-components-any) – Kukeltje Oct 12 '18 at 11:11
  • Transmited or processed? Major difference. It is transmitted, just not processed – Kukeltje Oct 12 '18 at 11:14

2 Answers2

2

JSF and PrimeFaces do not process values when inputs are disabled or readOnly for security purposes. So even a hacker enables the input and submits the form, JSF-PrimeFaces checks the component. So it is standard behavior. You need to enable it on server side.

Found here: https://forum.primefaces.org/viewtopic.php?t=15632

Javier
  • 111
  • 5
  • https://stackoverflow.com/questions/32390081/force-jsf-to-process-validate-and-update-readonly-disabled-input-components-any – Kukeltje Oct 12 '18 at 11:12
  • the following link give better explanation https://stackoverflow.com/questions/24088759/validate-readonly-components-anyway-on-form-submit/24089336#24089336 – schlebe Oct 12 '18 at 12:21
0

Because I will that visible inputText is READ-ONLY, the only solution is to duplicate READ-ONLY inputText like this ...

<i   class="fa fa-fw fa-dot-circle-o"
     onclick="PF('LoadLabelHomoVectoDialog').show();"
     />
<p:inputText
     id="CertificationCodeId"
     value="#{vC.postLabellingSearchCriteria.certificationCode}"
     readonly="true"
     />
<p:inputText
     id="CertificationCodeIdBecauseJSFdontSentReadOnlyWidgetValueToServer"
     value="#{vC.postLabellingSearchCriteria.certificationCode}"
     style="display:none"
     />

The value of second widget is sent to server because it is not disabled or read-only.

In Javascript code, I must assign the two widget.

JSF and PrimeFaces do not process values when inputs are disabled or readOnly for security purposes. So even a hacker enables the input and submits the form, JSF-PrimeFaces checks the component.

I think now, that issue that JSF/Primefaces want to avoid, is always there because an hacker can change content of the hidden widget.

The only thing I see is that the code is more complex and less readable :-)

Why to do simple when it is possible to do complex ?

schlebe
  • 3,387
  • 5
  • 37
  • 50
  • @kukeltje - I have read the communicated duplicate link. But have you read the duplicate link that I have communicated ? Your duplicate link if from 2015 and my duplicate link is from 2014 ! In fact your duplicate link is a duplicate of question posted in 2014 ! But perhaps I misunderstand what you will say with 'No' ! But in all case, the answer to my question found is correct in 2014 and 2015 posts. Personally, I find that BalsuC answer in 2014 post is more documented. – schlebe Oct 15 '18 at 08:04