Oh OK then. Ignore comment #1. I have filed a separate bug for that issue (bug #786070).
Note that just making something protected won't prevent an intrepid client from calling it. That is a client-side solution. Client-side security is not security. We need ALL the APIs on the server to make these checks. So: Are we doing so? Prageeth, I gather you have handled these issues. Do you think it's safe from the attack described above? -- You received this bug notification because you are a member of MUGLE Developers, which is a direct subscriber. https://bugs.launchpad.net/bugs/786016 Title: Direct Access to Services from client side Status in Melbourne University Game-based Learning Environment: Triaged Bug description: While Prageeth has coded the casting of shared objects to datastore objects to have security checks, these can be bypassed by calling the shared services directly. The type of these classes should be changed to Protected if possible to avoid this -- Mailing list: https://launchpad.net/~mugle-dev Post to : [email protected] Unsubscribe : https://launchpad.net/~mugle-dev More help : https://help.launchpad.net/ListHelp
