Secure your server/servlets first and UI second. Make sure all
incoming calls to the server tier deny unauthorized users access to
execute administrative operations. When you do this you don't have to
worry if the user attempts an admin activity in the UI because they
will be denied in the server tier.
For the UI, let it all be downloaded to the client and filter the
controls at runtime. When a user logs in to your app query the server
for their authorized privileges. This authorization information can
be used to hide/customize the UI associated with the server side
operations they are not authorize and authorized to perform.
Craig
On Nov 25, 10:28 am, Drew Spencer <slugmand...@gmail.com> wrote:
> Hey coders,
>
> I'm building an app at the moment that will have regular users and
> administrators. The part I am building atm is an intranet-like section that
> allows the admins to upload files to the blobstore (also using app engine),
> so that users can download them.
>
> I have been using MVP with uibinder, so the FormPanel and FileUpload are
> baked into the UI. Obviously I only want the upload form to appear if it is
> an admin user looking at the page. Just wondering what the different
> approaches to this are, etc?
>
> I am thinking about putting the panel that holds the form in the uibinder
> template, then programatically adding the FileUpload widget and the
> appropriate clickhandler and other logic. Is this the best way?
>
> Thanks,
>
> Drew
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment