mugle-dev team mailing list archive

Thread
Date

[Bug 786016] Re: Direct Access to Services from client side

To: mugle-dev@xxxxxxxxxxxxxxxxxxx
From: Prageeth Silva <786016@xxxxxxxxxxxxxxxxxx>
Date: Sat, 21 May 2011 06:43:12 -0000
Reply-to: Bug 786016 <786016@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Yes in general this case has been handled, as far as the concerned
services are the ModelServices. I'm not too sure if this is the case
with the ClientAPI services as I haven't looked at them. If Scott can
confirm this, it'll be great.

However, in some specific cases, I wasn't too sure of the logic for
checking if the user has privileges to update the object in question. In
these case, I've given access since I didn't want to throw an error that
could have slowed down the UI development. I've also added "TODO"
comments in these methods (in ServiceImpls) to review it later and I
think someone should review it when they get time before Monday.

-- 
You received this bug notification because you are a member of MUGLE
Developers, which is a direct subscriber.
https://bugs.launchpad.net/bugs/786016

Title:
  Direct Access to Services from client side

Status in Melbourne University Game-based Learning Environment:
  Triaged

Bug description:
  While Prageeth has coded the casting of shared objects to datastore
  objects to have security checks, these can be bypassed by calling the
  shared services directly.  The type of these classes should be changed
  to Protected if possible to avoid this

References

[Bug 786016] [NEW] Direct Access to Services from client side
From: Scott Ritchie, 2011-05-20