Java Reference
In-Depth Information
the
User
that is logged in, the data is not set in the action bean and
therefore not shown to the user.
The verifications are done in each setter method, because that is what
gets called after the data has been loaded from the database. Here's
how we prevent users from seeing other people's folders:
public void
setFolder(Folder folder) {
if
(getUser().equals(folder.getUser())) {
getContext().setCurrentFolder(folder);
}
}
If the folder is owned by another user, it is not set as the current folder
and not shown in the JSP. Similarly, from a
Message
, we can get the
corresponding
Folder
and, from there, the owning
User
, and we can use
the same logic in the setter method for a
Message
:
public void
setMessage(Message message) {
if
(getUser().equals(message.getFolder().getUser())) {
this
.message = message;
}
}
Finally, preventing users from seeing other people's contacts works
almost in the same way, except that we also have to check that the
User
is not
null
. Indeed, when the user is creating a new contact,
set-
Contact
( ) is called before the contact is saved so the user has not been
associated to the contact yet.
public void
setContact(Contact contact) {
User user = contact.getUser();
if
(user ==
null
|| getUser().equals(user)) {
this
.contact = contact;
}
}
With these checks for ownership, users cannot meddle in other peo-
ple's business. We now have some pretty good security measures in the
webmail application.
Search WWH ::
Custom Search