Carsten Ziegeler wrote:Hmm, I might be wrong, but does this really protect you? If you have a flow that is usable by not authenticated users, you run into the same problem I think.
I see, you are right. A unauthorized user can get access to the continuation by adding the continuation parameter to another request he is authorized for.
I have solved a similar problem in an application by using a wrapped sendPage() like:
function w_sendPage(x, y, z) {
var currentUser = getCurrUser(); // userPrincipal/remoteUser/whatever
sendPage(x, y, z);
if (currentUser != getCurrUser()) {
throw "Bad boy!";
}
}Although not perfect, in that application, where authorization is mandatory, it stops users from giving/emailing each other links to stuff which as you can imagine can cause some problems. This is the poor man's version of Vadim's proposed pre-function-call and pre-handle-continuation hooks.
This won't stop unauthorized users from "stealing" other unauthorized continuations though... but it will stop unauthorized users from using authorized continuations.
Regards,
Niklas
