Block Request for Inaccessible Widgets"
(12 intermediate revisions by 2 users not shown) | |||
Line 4: | Line 4: | ||
− | + | ||
+ | = Non-existing Components are Safer than Invisible Ones = | ||
+ | Users can easily access inaccessible elements (such as disabled or invisible ones) by a browser developer tool. For example, a hostile user can make an invisible button visible and then click it to trigger unexpected actions. Thus, it is recommended not to create an element if it is not supposed to be accessible. For example, the first statement is safer than the second one in the following example: | ||
<source lang="xml"> | <source lang="xml"> | ||
Line 12: | Line 14: | ||
= Block with <tt>InaccessibleWidgetBlockService</tt> = | = Block with <tt>InaccessibleWidgetBlockService</tt> = | ||
− | + | {{versionSince|5.0.0}} | |
− | + | {{ZK EE}} | |
− | + | ||
+ | ZK Enterprise Edition provides a <javadoc>org.zkoss.zkmax.au.InaccessibleWidgetBlockService</javadoc> to block events sent from inaccessible widgets with a default set of rules. Because such default rules don't apply to all use cases, it is not enabled by default. | ||
+ | |||
+ | == Limitation == | ||
+ | Your business class should be responsible of verifying user roles and the associated permissions. As a UI framework this feature works as a filter (helper) that blocks the general cases before your business class verifies the user permissions, which can save the cost. Please note that this service should not play the main role of determining available permissions associated to the roles. | ||
+ | |||
+ | |||
+ | == Apply the Default Blocking Service== | ||
+ | |||
+ | To apply it to the whole application, just specify the following in <tt>zk.xml</tt> as follows: | ||
<source lang="xml"> | <source lang="xml"> | ||
Line 25: | Line 36: | ||
Then, each time a desktop is created, an instance of <tt>InaccessibleWidgetBlockService</tt> is added to the desktop to block the requests from the inaccessible widgets. | Then, each time a desktop is created, an instance of <tt>InaccessibleWidgetBlockService</tt> is added to the desktop to block the requests from the inaccessible widgets. | ||
− | In many cases, you just want to block particular events, not all events | + | |
+ | |||
+ | == Default Blocking Rules== | ||
+ | * Block all events from '''disabled''' and '''invisible''' components | ||
+ | * Block <code>onChange, onChanging, onSelect</code> of a '''read-only''' component | ||
+ | * '''Not''' block <code>onOpen</code> | ||
+ | <!-- see protected static boolean shallBlockPerComponent(AuRequest request) --> | ||
+ | |||
+ | == Specify Events to Block == | ||
+ | In many cases, you just want to block particular events, not all events. Then, you can specify a list of events in <code>zk.xml</code> below to control the behavior of <javadoc>org.zkoss.zkmax.au.InaccessibleWidgetBlockService</javadoc>. For example, | ||
<source lang="xml"> | <source lang="xml"> | ||
Line 32: | Line 52: | ||
<value>onClick,onChange,onSelect</value> | <value>onClick,onChange,onSelect</value> | ||
</library-property> | </library-property> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
</source> | </source> | ||
= Supported Components = | = Supported Components = | ||
− | All invisible components | + | All invisible components are blocked. |
− | Some components | + | Some components are blocked when they are disabled/read-only, as follows: |
{| border="2" style="width:50%;" | {| border="2" style="width:50%;" | ||
Line 97: | Line 103: | ||
| Selectbox | | Selectbox | ||
|} | |} | ||
+ | |||
+ | |||
+ | = Implement Your Own Blocking Rules = | ||
+ | If you want to block a request for inaccessible widgets for the whole application or for a particular desktop, you can implement the <javadoc>org.zkoss.zk.au.AuService</javadoc> interface to filter out unwanted requests. | ||
+ | The implementation of <tt>AuService</tt> is straightforward. For example, the following example blocks only <tt>button</tt> and <tt>onClick</tt>: | ||
+ | |||
+ | <source lang="java"> | ||
+ | public class MyBlockService implements org.zkoss.zk.au.AuService { | ||
+ | public boolean service(AuRequest request, boolean everError) { | ||
+ | final Component comp = request.getComponent(); | ||
+ | return (comp instanceof Button) && "onClick".equals(request.getCommand()); | ||
+ | //true means block | ||
+ | } | ||
+ | } | ||
+ | </source> | ||
=Version History= | =Version History= |
Revision as of 08:27, 7 July 2021
Non-existing Components are Safer than Invisible Ones
Users can easily access inaccessible elements (such as disabled or invisible ones) by a browser developer tool. For example, a hostile user can make an invisible button visible and then click it to trigger unexpected actions. Thus, it is recommended not to create an element if it is not supposed to be accessible. For example, the first statement is safer than the second one in the following example:
<button unless="${accessible}"/>
<button visible="${accessible}"/>
Block with InaccessibleWidgetBlockService
Since 5.0.0
- Available for ZK:
ZK Enterprise Edition provides a InaccessibleWidgetBlockService to block events sent from inaccessible widgets with a default set of rules. Because such default rules don't apply to all use cases, it is not enabled by default.
Limitation
Your business class should be responsible of verifying user roles and the associated permissions. As a UI framework this feature works as a filter (helper) that blocks the general cases before your business class verifies the user permissions, which can save the cost. Please note that this service should not play the main role of determining available permissions associated to the roles.
Apply the Default Blocking Service
To apply it to the whole application, just specify the following in zk.xml as follows:
<listener>
<listener-class>org.zkoss.zkmax.au.InaccessibleWidgetBlockService$DesktopInit</listener-class>
</listener>
Then, each time a desktop is created, an instance of InaccessibleWidgetBlockService is added to the desktop to block the requests from the inaccessible widgets.
Default Blocking Rules
- Block all events from disabled and invisible components
- Block
onChange, onChanging, onSelect
of a read-only component - Not block
onOpen
Specify Events to Block
In many cases, you just want to block particular events, not all events. Then, you can specify a list of events in zk.xml
below to control the behavior of InaccessibleWidgetBlockService. For example,
<library-property>
<name>org.zkoss.zkmax.au.IWBS.events</name>
<value>onClick,onChange,onSelect</value>
</library-property>
Supported Components
All invisible components are blocked. Some components are blocked when they are disabled/read-only, as follows:
Component |
---|
Button |
A |
Listbox |
Menuitem |
Navitem |
Textbox |
Tree |
Intbox |
Spinner |
Doublebox |
Decimalbox |
Longbox |
Doublespinner |
Timepicker |
Timebox |
Checkbox |
Datebox |
Combobox |
Chosenbox |
Selectbox |
Implement Your Own Blocking Rules
If you want to block a request for inaccessible widgets for the whole application or for a particular desktop, you can implement the AuService interface to filter out unwanted requests. The implementation of AuService is straightforward. For example, the following example blocks only button and onClick:
public class MyBlockService implements org.zkoss.zk.au.AuService {
public boolean service(AuRequest request, boolean everError) {
final Component comp = request.getComponent();
return (comp instanceof Button) && "onClick".equals(request.getCommand());
//true means block
}
}
Version History
Version | Date | Content |
---|---|---|
8.0.3 | 2016/09/21 | Add "supported components" table |