Agreed, server side access checks must always be there.
public String getAuditLogDetail(int id) throws MyException {
HttpSession sess = getThreadLocalRequest().getSession();
validSession(sess);
if (hasAdminAccess(sess)) {
LocalDbWrapper ldb;
try {
ldb = new LocalDbWrapper(servletContext);
AuditLogDAO dao = new AuditLogDAO();
return (dao.getLogDetail(ldb, id));
} catch (LocalDbException e) {
throw new MyException("Database request failed: "
+ e.getMessage());
}
} else
throw new MyException("Access denied! (getAuditLogDetail)");
}
Some example client code where app config menu item is only enabled after login and if user has admin rights. Screens for any user are always downloaded, admin screens are downloaded on demand with code splitting(GWT.runAsync).
// only display menu when admin access
if (Access.hasAccess(me, MyConst.ACCESS_ADMIN)) {
configMenuItem.setVisible(true);
configMenuItem.setCommand(appConfigCmd);
}
Command appConfigCmd = new Command() {
@Override
public void execute() {
if (Access.hasAccess(me, MyConst.ACCESS_ADMIN)) {
GWT.runAsync(new RunAsyncCallback() {
@Override
public void onFailure(Throwable reason) {
Window.alert("GWT.runAsync failed for App Config panel:"
+ reason.getMessage());
}
@Override
public void onSuccess() {
uberContent.clear();
ConfigPanel panel = new ConfigPanel(me);
uberContent.add(panel);
placePanel(800, 1300);
}
});
}
}
};
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/foL6rnWJ3loJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment