ninja icon indicating copy to clipboard operation
ninja copied to clipboard

Published 20 hours ago verified publisher icon ninjaframework

Returning non-success result code from action should not render default template by default

Open cbxp opened this issue 8 years ago • 3 comments

Currently Ninja framework renders default action template even when non-success result code is specified.

Here's a pseudo-code of how to reproduce that problem:

public class PostsController {
  public Result edit(@PathParam("Id") Long postId) {
    Post post = db.find(postId, Post.class);
    if (!post.belongsTo(currentUser)) return Results.forbidden();

    return Results.ok().html().render("post", post);
  }
}

What happens when post does not belong to currentUser? I would expect that a blank or default 403 html template will be rendered, but Ninja will render edit.ftl.html instead with a http response code of 403.

This should not ever happen, because it will create a potential security leaks. It is just not expected behavior.

Yes, with the example above, template rendering will probably fail because post is not set as a parameter, but in real life there might be other views, which will work.

cbxp avatar Mar 04 '16 10:03 cbxp

Yes you are right. I never use a return error without specifing the html template ex : return Results.unauthorized().html().template(NinjaConstant.LOCATION_VIEW_FTL_HTML_UNAUTHORIZED);

And then you have to create your error page : http://puu.sh/nuslD/363e63c53f.png

danielsawan avatar Mar 04 '16 13:03 danielsawan

If you want to get a default forbidden page, the current way to do it in Ninja:

public PostsController {

private Ninja ninja;

@Inject
public Controller(Ninja ninja) {
    this.ninja = ninja;
}

public Result edit(@PathParam("Id") Long postId) {

Post post = db.find(postId, Post.class);
if (!post.belongsTo(currentUser)) return ninja.getForbiddenResult();

return Results.ok().html().render("post", post);

}

}

-Joe

On Fri, Mar 4, 2016 at 5:16 AM, Codeborne [email protected] wrote:

Currently Ninja framework renders default action template even when non-success result code is specified.

Here's a pseudo-code of how to reproduce that problem:

public class PostsController { public Result edit(@PathParam("Id") Long postId) { Post post = db.find(postId, Post.class); if (!post.belongsTo(currentUser)) return Results.forbidden();

return Results.ok().html().render("post", post);

} }

What happens when post does not belong to currentUser? I would expect that a blank or default 403 html template will be rendered, but Ninja will render edit.ftl.html instead with a http response code of 403.

This should not ever happen, because it will create a potential security leaks. It is just not expected behavior.

Yes, with the example above, template rendering will probably fail because post is not set as a parameter, but in real life there might be other views, which will work.

— Reply to this email directly or view it on GitHub https://github.com/ninjaframework/ninja/issues/480.

jjlauer avatar Mar 04 '16 13:03 jjlauer

Yes, I know now that I have to specify template manually or use solutions similar provided by @jjlauer, but these are not solutions to the original problem, which is that ninja framework does no behave as expected and might cause security problems in real life.

jarmo avatar Mar 05 '16 10:03 jarmo