Doh. I was thinking that I would avoid an extra trip to the datastore this way.
But of course I have to do the .get() in order to change the goal entity. At which point I can check the user's key as you suggest. Please excuse my thinko. Unless there is a way to do a .put() on an pre-existing entity without first doing a .get()? I didn't see anything in the docs corresponding to a SQL UPDATE statement, but if there is a way to do this I'd definitely like to know about it. Matt On Wed, Apr 21, 2010 at 10:18 PM, Tristan <[email protected]> wrote: > the goal entity should have a user's entity key that you get out of > the session object on the server. when you then process 'complete' > action, you should check first that the user's entity key in goal > entity matches the one you got from server session. otherwise you're > leaving yourself vulnerable. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
