On 30 July 2010 21:27, Dean S. Jones <[email protected]> wrote: > Sorry, again, looking at your above example, to make my point > clear, using Firebug I can find (!user.isAuthenticated()) and any > a JS debugger to subvert it. GWT obfuscates JS code, but > anyone with 1) curiosity and a brain, 2) ulterior motives , this > is a cakewalk. > > Think about it. > > and > > NEVER TRUST THE CLIENT. Always verify every action for permission > on the server side.
Very true and I thought about that. My reasoning is that without a user token there will be no "interesting" data available (it's still on the server) so there is no leak. And anyone can sign up for an account so if a bad guy just wants to have a look at the JS code then they can get it. Do you think there is a flaw in my logic? -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
