Koen, > Wt will never expose any part of your business logic on the client. In > this case, the button is implicitly associated with the particular > post on the server side, and only the button is identified at the > client (not the post id) [Wt does not even know there is a post > involved, its sole task is to render widgets and relay events]. As a > bad guy you cannot do anything since there is only button available, > and that is the only button whose click event will be accepted. I understand the story with the button identified. Probably one of the most used patterns for editing a form is that besides the editable attributes there is a hidden attribute that contains the identifier of the object. When the form content is sent back either on POST or GET the server identifies the object based on the ID. Wt cannot be far from this. When the user presses the button an ajax request is generated and the edited fields + (database) id of the object + together with some identifier of the button are packed together one or other way and sent to the client. Now, what I was trying to say that one might be able to pack another (database) id of the object, being able thus to change the content of a post that does not belong to him, as there is no check for authorization. The only one way this could be avoided that besides the secret session id (that is unique during the lifetime of the users session), create a map of database id to another secretid. The edited form would then contain a hidden attribute that would contain a secret ID etc. etc.
Well, I will activate whireshark and will trace the messages, and will see how the id is sent :). mobiphil -- rgrds, mobi phil being mobile, but including technology http://mobiphil.com ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
