2010/2/8 mobi phil <[email protected]>: >>That's almost true but no id of the object is sent to the browser. >>This information is redundant since you have instantiated the button >>specifically for that object and thus server side it is known what >>object to update when the button is clicked. > > Thanks Koen, I am confident I got the picture. There is something in > the DOM that uniquely associates the button with the object that lives > on the server. That means that there is a unique ID in the game that > is packed whet the ajax http message is sent etc. > > Unfortunately I think there is however a little issue with this > approach. There is a time gap between the moment the object is > retrieved for editing and when it is saved. Unfortunately when you > save you are using the athorisation settings of the object that were > valid at retrieve time and not at save time. In the meantime the user > might have lost his write rights on the object, but you would still be > able to save. But that goes probably more in locking area etc. etc. >
Fortunately there is no method to revoke rights in the blog example, so this is a hypothetical scenario :-) > So... sorry for abusing your time... However I would not call it wasted time > :) > Insight in the security model of Wt is crucial to appreciate it, and to judge what it protects against and what not. Wt has a well-structured strategy to protect against the common web-attacks. Many (most) other frameworks don't do this as extensive as Wt does. Regards, Wim. ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ witty-interest mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/witty-interest
