grails-core icon indicating copy to clipboard operation
grails-core copied to clipboard

Published 20 hours ago verified publisher icon grails

Grails `bindable` constraint not being respected

Open joe-albert opened this issue 1 year ago • 3 comments

Expected Behavior

We are using command objects with the Validatable interface. In the constraints block we are using bindable: false for some properties. The expected behavior is that these fields should be non-bindable by the front-end user when they access endpoints.

Actual Behaviour

Instead, if the command object is either defined in a plugin, or not referenced in the argument list of an endpoint on a controller, the command object will be fully bindable even if bindable is set to false.

Why does a command object need to be referenced in a controller within the same project in order for bindable to be respected?

Steps To Reproduce

  1. Create a grails application and plugin
  2. Define a command object using the bindable: false constraint on a property within the plugin
  3. Create a controller in the main application with an endpoint that uses the command object from the plugin
  4. Try to bind in data via the url for the new endpoint

I created an example application showing the issue with unit-tests that also show the issue. In the project the "ExampleController" class has further explanation if needed.

Environment Information

Mac OS Monterey Java 17.0.2-zulu Groovy 3.0.11 Grails 5.2.5

Example Application

https://github.com/joe-albert/grails-bindable-bug

Version

5.2.5

joe-albert avatar Mar 17 '23 21:03 joe-albert

At https://github.com/joe-albert/grails-bindable-bug/blob/c81ed7b45df60d5fc502d6d7f29d789f40f78a16/examplePlugin/grails-app/controllers/exampleapplication/ExampleBrokenCommandObject.groovy#L10-L13 you have the following:

    static constraints = {
        nonBindableProperty null: false, bindable: false
        bindableProperty null: false
    }

Are those null: false intentional?

jeffscottbrown avatar May 30 '23 12:05 jeffscottbrown

@jeffbrown , sorry about that, I meant to write nullable: false

It wasn't impacting the example at all but I just pushed a fix for it switching it to nullable: false and it's still not working as expected

joe-albert avatar May 30 '23 14:05 joe-albert

I have the same problem, both when using automatic binding (command object as controller parameter) and when using bindData().

Environment Information

Windows 10 Grails 4.1.3 Groovy 2.5.21 Java 8

Workaround

I managed to prevent binding by using @BindUsing({obj, source -> null })

Zorobay avatar Jan 10 '24 10:01 Zorobay