Skip to content

SimpleEvaluationContext does not enforce read-only semantics #33319

Closed
@sbrannen

Description

@sbrannen

SimpleEvaluationContext.forReadOnlyDataBinding() documents that it creates a SimpleEvaluationContext for read-only access to public properties; however, that is only partially true. Write access is in fact disabled for properties accessed via the registered DataBindingPropertyAccessor, but write access is not disabled for indexed structures when using the assignment operator, the increment operator, or the decrement operator.

In order to better align with the documented contract for forReadOnlyDataBinding(), we should make it possible to disable assignment (i.e., write access within a SpEL expression) in general in order to enforce read-only semantics for SpEL's SimpleEvaluationContext when created via the forReadOnlyDataBinding() factory method.

Metadata

Metadata

Assignees

Labels

in: coreIssues in core modules (aop, beans, core, context, expression)status: backportedAn issue that has been backported to maintenance branchestype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions