How to create an data alteration form in Spring

Question

I'm trying to create a form to the user alter it's own private data(address, age...) in my web application:

• The view:

  public class UserDetailsView {
  
      private Long userId;
      private String name;
      ...
  }
  

  In the @GetMapping of the form page I load all the user data to the form view and then send the loaded view to Thymeleaf and it create the final HTML, all this proccess is working fine.

• My problem is:

For obvious reasons, the form doesn't have a field to the userId variable and I don't want to create an hidden field to the ID to avoid malicious users that can easily alter the userId field.

• My question is:

How to keep the same UserDetailsView instance in the server side to keep the userId variable content, just changing the variables related to field in the form? Actualy my solution is searching in the database for the logged user to get it's ID and then update the UserDetails table.

Answer 1

If users can only change the data related to themselves, just keep the userId (and maybe the rest of the user details that you may need across the application) in the session.

Answer 2

first of all if you are trying to submit the the form you should be using POST method @GetMapping is a composed annotation that acts as a shortcut for @RequestMapping(method = RequestMethod.GET)

what you should be using on your controller method is something like

@RequestMapping(value = "/update", method = RequestMethod.POST)

Secondly the user who is trying to update his details should already be logged in and authenticated . it should not be coming from the form . here is an example of how to get logged user using spring security

How to get the current logged in user object from spring security?