Hey Mobi Phil, 2010/2/8 mobi phil <[email protected]>: > I understand the story with the button identified. Probably one of the > most used patterns for editing a form is that besides the editable > attributes there is a hidden attribute that contains the identifier of > the object. When the form content is sent back either on POST or GET > the server identifies the object based on the ID. Wt cannot be far > from this. When the user presses the button an ajax request is
Why can Wt not be far from this? Again: Wt does not send the business object ID to the browser. Wt only sends information related to DOM elements forth and back between browser and server. > generated and the edited fields + (database) id of the object + > together with some identifier of the button are packed together one or > other way and sent to the client. Now, what I was trying to say that That's almost true but no id of the object is sent to the browser. This information is redundant since you have instantiated the button specifically for that object and thus server side it is known what object to update when the button is clicked. > one might be able to pack another (database) id of the object, being > able thus to change the content of a post that does not belong to him, > as there is no check for authorization. The only one way this could be > avoided that besides the secret session id (that is unique during the > lifetime of the users session), create a map of database id to another > secretid. The edited form would then contain a hidden attribute that > would contain a secret ID etc. etc. > > Well, I will activate whireshark and will trace the messages, and will > see how the id is sent :). Please do :-) Or simply use the Firebug console and inspect the AJAX request. Regards, koen ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
