To introduce my question, I have a few service methods that I use for creating new entities and modifying existing entities, as there is often side effect work that needs to be done at the same time. As a side note, I’ll look into entity listeners and the like in the future, but for now, at least, this is how I’ve been doing it.
When I make a service call, some parameters are entities themselves. Sometimes I pass the exact entity I want to make changes to, and sometimes I pass a related entity from which to gather information or with which to associate the new entity.
However, I’m noticing that these entities can be edited on the client by a malicious user before the service method is called, potentially resulting in associations or entity data that should just not occur.
In addition, the entity passed may not contain the data that would exist if the entity were obtained in the service method itself (not passed in a parameter).
Is there a standard way to ensure that the entity being passed is a replicate of the managed version of that entity?
I imagine it would be useful to allow changes to be made to the entity before passing it to a service, but it would also be nice to be able to ensure that no changes have occurred.
Two workaround options I’ve considered are to pass the ID of the entity as a parameter instead of the entity itself, or to pass the entity and replace it in the service method by calling
entityManager.find() with the ID, but both of these options seem a bit unwieldy - the latter being more so than the former.
Is there a better way to do this?