I hadn't thought about it that seriously too regarding what Matt is saying.But about the question Scott has, this is what I meant the other day. But as far as I remember, we have our own server-side security running and they are all in the ServiceImpls. And as far as the client is concerned, the only way to directly access the objects is to use the services and services only interface to the client via wrapper classes (they only take wrapper class as parameters and return only wrapper classes as well). the write/create methods were wrapped around by each object was to make the design look neater, not for any security purpose. So anyone actually can go instantiate a Service and use it, but it still requires a wrapper object and the client shall never have access to a data object. Hope it made sense?
-- You received this bug notification because you are a member of MUGLE Developers, which is a direct subscriber. https://bugs.launchpad.net/bugs/786016 Title: Direct Access to Services from client side Status in Melbourne University Game-based Learning Environment: Triaged Bug description: While Prageeth has coded the casting of shared objects to datastore objects to have security checks, these can be bypassed by calling the shared services directly. The type of these classes should be changed to Protected if possible to avoid this -- Mailing list: https://launchpad.net/~mugle-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~mugle-dev More help : https://help.launchpad.net/ListHelp
