Patrick Casey wrote:
<snip>
Now, in theory, I'm vulnerable to a malicious user who could
gain a user account and then submit synthetic directlinks referencing admin
type resources. Just because my gui didn't render him a link to the
administrator's user record doesn't mean that he can't type one in; it's
just a string of letters and numbers. I can't do security based on link
structure because, as I mentioned, both users and admins often have exactly
the same physical link structure, rather I have to do it based on content.
In Tapestry 3.0 (not sure about 4.x) pageValidate is called by DirectService (which is used to
implement DirectLinks), so if you have authorization code there, your direct links might be made
inaccessible to less privileged users. If you have "border-like" component that is used by all your
pages you use its pageValidate to implement simple role based authentication.
Damian
<snip>
--- Pat
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
