On 10. Jul 2006 - 11:21:49, Gentry, Michael (Contractor) wrote: | The down side to embedding database IDs in your HTML form is they can be | changed by the user before POSTing them back to your application, which | can cause all sorts of problems.
Exactly, this creates _really huge_ security issues... Anyway, I took the same approach but I've implemented a HiveMind SecurityService which is called before the object is written back to the database and which checks if the current user is allowed to execute the requested operation (read, write, delete, ...) on the object with the id. Otherwise it throws a SecurityException which is handled by the page class. This is a quite simple approach but I don't need more so it's sufficient for my needs. ACEGI integration would be more powerful and flexible - perhaps in a future version ;-) HTH Andreas --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
