Re: RequestFactory Security: prevent the user from retrieving other users content

You should save the currently logged in user into a server side session (app server session or a general user session stored in your database) and use this user to fetch data from your database. Then you dont even have to send the userId to the server during the request. The server knows who is logged in.

In general you cant trust the client and its requests, so you have to validate them. So its up to the server to manage logged in users, (multi-)tenant information, access controls, etc. Basically everything that is security related.

-- J.

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-web-toolkit/-/pwQiB7wHkgQJ.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.