On Feb 17, 9:08 pm, James Ashley <james.ash...@gmail.com> wrote: > 1) The user has a bunch of personal...whatever. Bookmarks that he > doesn't want to share with his wife. The original query is tied to > his google account. He stashes a browser bookmark halfway through the > list and logs out of the site. Later, his wife uses the same computer > and logs in and checks out the new bookmarks. This one requires her > to log into her google account. From what I'm reading, it sounds like > she'll see his data.
Only if your app is dumb enough not to check who the current logged in user is before constructing the query for his data. If your application will run a query for a given user's private data based entirely on the URL with no authentication, it doesn't matter if you're using cursors or not; your application is inherently insecure. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to google-appeng...@googlegroups.com. To unsubscribe from this group, send email to google-appengine+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
