On 10 nov, 18:35, Stephen Haberman <stephen.haber...@gmail.com> wrote: > > In the current state, I honestly doubt that RequestFactory should > > be used in a productive environment, as it introduces really > > hard-to-overlook security problems. > > That was my impression was well.
I think it really depends what your use case is. In our app, either the user has only access to data for reading only (guarding the methods with role-based checks would then be enough), or he can only modifies objects that he has previously checked out (checking the current user is the same as the "lock owner" is enough then), and he can only check out objects that he's been given the "editor" role on (checking that the current user is in the list of editors for the object is enough then). But if the user has rights to modify an object, he really can do anything with it. I don't think RF has real security flaws for this use case (but I honestly haven't investigated that much, given that it'll change soon and we're at the very beginning of the project, which is due for june). > I agree it will be interesting to see > how, if at all, this gets addressed in future releases. Have you looked at http://code.google.com/p/google-web-toolkit/wiki/RequestFactory_2_1_1 ? -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
