Conditionally binding Spring MVC fields

Question

I want to limit the fields that are permitted by my WebDataBinder so that ordinary users can't create objects attached to other accounts. I can do this pretty easily using an @InitBinder:

@InitBinder
void initBinder(WebDataBinder binder) {
    binder.disallowedFields = ['owner', 'createdAt']
}

However, I want administrators to be able to set the owner field.

The only "declarative" solution I've seen is to write duplicate controller methods that map based on the user's role and attach different binder specifications to the different fields. Is there any clean way to dynamically specify what fields are allowed/disallowed/required?

How about combining http://stackoverflow.com/a/22520819/1686330 with a custom subclass of `WebDataBinder` that overrides `isAllowed()`? — Dirk Lachowski, Jul 01 '15 at 16:43
@DirkLachowski That approach is so massively invasive that it'd be less flaky to just manually implement the check logic directly in the controllers. :-/ — chrylis -cautiouslyoptimistic-, Jul 01 '15 at 16:57
Then maybe this is a good occasion to raise a feature request in the spring jira. Doesn't help now, but who knows... — Dirk Lachowski, Jul 01 '15 at 17:07
I don't even know how to phrase it. Hmm, perhaps I'll ping the usual suspects on Twitter. — chrylis -cautiouslyoptimistic-, Jul 01 '15 at 17:10
Just a thought, keep the role and not allowed fields per form bean info, in an xml (or write custom annotation) . Write an mvc interceptor which removes the values from not allowed fields for role as defined in xml ? — Amit Parashar, Jul 01 '15 at 17:17
@AmitParashar That's basically reimplementing the data binder. — chrylis -cautiouslyoptimistic-, Jul 01 '15 at 17:18
Maybe you'll wave a look at https://jira.spring.io/browse/SPR-6534 — Dirk Lachowski, Jul 02 '15 at 11:08

Conditionally binding Spring MVC fields

0 Answers0