I am currently filtering a list of documents according to a certain criteria.
Then I present this list to the user and I have a
<p:commandButton action="#{controllerBean.downloadDocument(document.id)}" ajax="false" />
Looking at the rendered code, I don't see the document id anywhere but that doesn't mean it is somehow encoded and can be decoded, changed and reencoded from the client.
My understanding of JSF state handling is quite weak but, correct me if I am wrong: manually changing the value of an action parameter value is not possible from the client because, even when stored on the client, only the server can decode and encode session states, and the parameter values are stored there. Am I right or should I add a check to downloadDocument(document.id) to make sure the user has permission to download that particular document.id? I will add this check in the future no matter what but I want to know how critical this issue is right now.
It's stored as a MethodExpression in the JSF component tree (not in the JSF view state!) and it's evaluated in the server side during the INVOKE_APPLICATION phase of the form submit triggered by the command component in question. It's indeed in no way encoded to HTML output, on the contrary to e.g. <f:param> (in case you're familiar with PrimeFaces, that's also exactly the reason why <p:graphicImage> can't work with EL method parameters in its value but only with HTTP request parameters via a nested <f:param>).
The only "risk" is when the during INVOKE_APPLICATION evaluated value of #{document} (indirectly) depends on some request scoped state which can be controlled by the client, such as a request parameter or a request path. Please note again that the #{document} is evaluated during the postback, not during the initial request.
To have a better understanding of view building, rendering and state saving, below Q&A may be helpful: