Thoughts? On Thu, Apr 7, 2011 at 10:48 AM, cdub (PYITE) <[email protected]> wrote: > Is it possible to limit what can access a Javascript object? > > Our framework is MVC-based. Controller methods may be accessed > directly via Javascript proxy object generated at runtime. > Controllers are associated with a view. Views maybe be included in > other views. But, Javascript proxy objects may only be invoked w/in > the associated page, not the encompassing page. A configuration > setting on the controller method may grant "global" access allowing > encompassing pages to invoke child controller methods. > > So... > Page A with Controller Aa and method Aaa. > Page B with Controller Bb and method Bbb1 (private) and Bbb2 (public). > Page A includes Page B. > Page A cannot invoke Bbb1, but can invoke Bbb2. > > Hope that makes sense. > > One idea is that the Javascript proxies are generated with the id of > the wrapping DOM object (we know this at runtime rendering). Upon > client-side invocation, we look at the Javascript call stack to get > the DOM id of where the call originated and validate that against the > wrapping id stored w/ the proxy (ids are hierarchically chained, so > the wrapped id will be part of the origin id). We could do this > servers-side. I don't yet know about the plausibility or efficiency > of this approach. > > I could be over-thinking this. I hope there's a simpler way! ;-) > > Thoughts? Recommendations?
-- To view archived discussions from the original JSMentors Mailman list: http://www.mail-archive.com/[email protected]/ To search via a non-Google archive, visit here: http://www.mail-archive.com/[email protected]/ To unsubscribe from this group, send email to [email protected]
