Say I do a page import of the domain in GSP, for example:
<%@ page import="com.sample.entity.Book" %>
To use it to your page via
<g:select from="${Book.list()}"
optionKey="id"
optionValue="title"
name="bookSample"/>
Is this bad programming practice to use the import? I am very new to Grails and have seen this practice in a lot of tutorials, but my lead would discourage me to do this because according to him hackers can easily get the data from the db. I've been arguing against it but I guess I need some support.
I do agree with that on the above it is more ideal to use the controller to get the list of Books - but I think I do not get the idea that using the <%@ page import="" %> is bad coding because it makes the page vulnerable.
I know that GSPs are compiled and so no reference of the import is visible to the HTML pages.
Update: thank you all for giving your inputs. I've updated the question to give it more focus. If someone told you it is wrong and this was the reason - you kind of think beyond best practices and more on security, which I truly can't imagine how, through an import
I'm not so sure about the "hackers will do bad things" reasoning, but there is a better approach to using GORM directly in the GSP.
Let's be clear, using GORM directly in the GSP isn't technically wrong, it's just a bad practice. Why? It's not giving you a clear separation of your Model and View.
Your view (GSP) shouldn't be building the model. It should simply be using it to render a view. Your controller, however, really should build the model that your view (GSP) uses.
In your example that model comes from a GORM query. However, in the future you may end up delegating that to a service that uses some micro-service instead.
Since the model is being constructed in the controller and not the GSP you won't have to comb through all your GSPs and find where you would need to refactor that. It should be as simple as changing the controller.
That's the real reason why you should avoid using GORM in a GSP directly. Separation of concerns.
As far as the actual importing of the domain is concerned? That's not really a bad practice, since your model will likely contain domain instances. It's a bit verbose (and not really needed for the most part) but that verbosity also lends itself to documenting what domain classes are being used by a view.
I typically don't use specific imports in my GSPs because I've found that the model changes over time and maintaining the imports becomes an issue.
Update After giving it even more thought I can't for the life of me come up with a true reason why using imports in your GSP would be considered a security risk. You're lead has a lot of explaining to do, or you need to replace him.