« Previous | Next » 

Revision 3f6576e4

ID3f6576e47756a170d98232ff7f5a35d679052701

Added by Sebastian Kurfuerst over 9 years ago

[!!!][FEATURE] (MVC): Whitelist-based Property Mapping Configuration

Up to now, property mapping always allowed to modify all properties of a given
object. Especially in the MVC stack, this functionality was relied upon for
all update and create actions. However, for nested objects, the user needed
to configure whether updates and creations should be allowed.

This was an inconsistent behavior, especially because for read-only actions the
object could be also modified.

The behavior is now changed to be more predictive:

- the default PropertyMappingConfiguration used in the MVC stack is changed
to be very restrictive: we do neither allow creation of any new objects nor
modification of existing ones; and all properties which should be modified
must be explicitly configured.

- For each form, Fluid now generates a list of trusted properties, based upon
which the PropertyMappingConfiguration is set correctly. This means only
properties which have been rendered by fluid are allowed to be modified,
and creation / insertion is only permitted if needed.

BREAKING CHANGES
----------------

- PropertyMappingConfiguration::doNotMapProperty (no public API) was removed.
Instead, use ::allowAllPropertiesExcept(…).
- Furthermore, an exception is now thrown if a property is not allowed to be
mapped. Before, the property was just ignored silently. You should either
write your own TypeConverter to deal with that or filter the input data
correctly before property mapping.

In a nutshell:

- If you used Fluid forms, everything will still work as expected.
- If you used Fluid forms and needed to adjust the property mapping configuration
manually, you can remove these manual adjustments.
- If you manually called the Property Mapper and passed a custom Property Mapping
Configuration, you probably need to call …->allowAllProperties() on the property
mapping configuration.
- If you did not used Fluid forms but relied upon the old behavior of the Property
Mapper (e.g. in a web service), you need to configure the Property Mapper
inside your initializeAction correctly now.

Note: You need the accompanying Fluid change for testing this feature as well.

Change-Id: Iac7bbb2a58ad890701fff2b0ad6b16a0e0b15bba
Resolves: #36776
Releases: 1.1

  • added
  • modified
  • copied
  • renamed
  • deleted