Thanks Jeff, you actually know what I'm talking about... If I'm sending the guestlist-id as a parameter, doesn't that defeat the purpose of guestlist? If all a "hacker" has to do is change the guestlist-id (a UUID, so it would be difficult), he could use another user's guestlist?
Putting the guestlist in session ensures the rules about what data goes on the guestlist cannot be tampered with. Another strategy is that when I'm checking the guestlist, and it fails, I re-fill my guestlist. and check again, but I'd rather not do this. thanks, JB --- In flexcoders@yahoogroups.com, "Jeff Vroom" <[EMAIL PROTECTED]> wrote: > > One of the basic principles of the "auto-sync" capability with FDMS is > that a given set of fill parameters corresponds to a single consistent > set of results. If you want each client to display unique results, you > need to ensure each executes with unique fill parameters. In this case, > maybe you'd add some value which is unique for the user to the set of > fill parameters (maybe the guestlist id in case multiple users share the > same guest list). > > > > What will happen then is that you'll end up with a fill per user (or per > guest list). The "refresh fill" process then might become expensive if > you have lots of users each with unique fills of course. What you might > want here is to then implement the fill-contains method. It will get > called for each newly created or updated item for each unique set of > fill parameters. You can get the user/guestlist id out of the fill > parameters, determine whether they are allowed to see that new item and > if so, append it to the fill. > > > > Jeff > > > > ________________________________ > > From: flexcoders@yahoogroups.com [mailto:[EMAIL PROTECTED] On > Behalf Of box110a > Sent: Tuesday, April 24, 2007 11:59 AM > To: flexcoders@yahoogroups.com > Subject: [flexcoders] FDS 2.0.1 Java Assembler autosync push > interception > > > > Let's say I have a datagrid of Person Objects (first,last names, DOB, > etc). I am using FDS java assembler to CRUD these objects. > > I have two clients, A & B and A adds a new Person which shows up on > B's datagrid moments later. My Question is, can I intercept the push > of new Person to B's datagrid? I've tried implementing addItemToFill and > autoRefreshFill, but they only get called by client A. > > The reason for this is because I am restricting what B can access via > a "guestlist" in his/her session. If I cannot control what data is > pushed to B, I cannot have fine-grained data access control. I am > trying to prevent any kind of "parameter tampering" >
