No Save For You!

Ryan Sonnek bio photo By Ryan Sonnek

I love how naive some software developers are. For some reason people just don’t realize that littering your view layer with business logic is a bad idea. Here’s an example. I just stumbled across a web application that has the amazing security feature to prevent user’s from submitting a page if they don’t have permission. Now, how do you suppose they implemented that?

<!-- only display save button if user has permission -->
<c:if test="${userHasPermission}">
  <input type="submit" name="submit" value="submit" />

There’s nothing inherintly wrong with this solution, except for the fact that this is the only place security is enforced in the application.

Thank God for tools like greasemonkey and firebug that allow you to execute scripts against the available DOM. Something like this works like a champ to get around that pesky security.