I think part of the idea here was to limit the requests to the server. Although this app was created when the libs were in flux. It is probably more correct in terms of security to "phone home" , that is until we have some sort of encryption client side, maybe On Feb 26, 2013, at 7:54 PM, Bruno Oliveira <bruno(a)abstractj.org&gt; wrote: > Hi guys, I'm revisiting our TODO app and I would like to know if it's possible to remove roles and loggedIn attributes from app.js. Why? Currently the access control trusts on local storage (https://github.com/danbev/TODO/blob/master/client/src/main/webapp/js/app....) and not on HTTP status responses from the server (correct me if I'm saying something wrong here) and in nowadays "loggedIn" should be considered useless, because we will trust on HTTP sessions. > > Am I wrong? Control it on the client side is easy to bypass. > > > -- > "The measure of a man is what he does with power" - Plato > - > @abstractj > - > Volenti Nihil Difficile > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev

If we're checking 401, np on keep it I misread that. What about 'isLoggedIn'? Is still necessary to return or may I remove it?

-- "The measure of a man is what he does with power" - Plato - @abstractj - Volenti Nihil Difficile On Tuesday, February 26, 2013 at 11:39 PM, Kris Borchers wrote: > Yes, the intent here is to not hit the server for every UI change. Basically, all the stored value is used for is to decide whether or not to show certain UI elements. Anything actually accessing "secure" data hits the server first and security is enforced at that point. Yes, someone could change that value and get access to the "Add Tag" form for example. IMO, that is not a big deal because as soon as they try to actually create the tag, they get a 401, an error is displayed and the tag is not created. If this is not the case, let me know and I can fix it but that was the intent. > > On Feb 26, 2013, at 7:47 PM, Lucas Holmquist <lholmqui(a)redhat.com&gt; wrote: > >> I think part of the idea here was to limit the requests to the server. Although this app was created when the libs were in flux. It is probably more correct in terms of security to "phone home" , that is until we have some sort of encryption client side, maybe >> >> On Feb 26, 2013, at 7:54 PM, Bruno Oliveira <bruno(a)abstractj.org&gt; wrote: >> >>> Hi guys, I'm revisiting our TODO app and I would like to know if it's possible to remove roles and loggedIn attributes from app.js. Why? Currently the access control trusts on local storage (https://github.com/danbev/TODO/blob/master/client/src/main/webapp/js/app....) and not on HTTP status responses from the server (correct me if I'm saying something wrong here) and in nowadays "loggedIn" should be considered useless, because we will trust on HTTP sessions. >>> >>> Am I wrong? Control it on the client side is easy to bypass. >>> >>> >>> -- >>> "The measure of a man is what he does with power" - Plato >>> - >>> @abstractj >>> - >>> Volenti Nihil Difficile >>> _______________________________________________ >>> aerogear-dev mailing list >>> aerogear-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/aerogear-dev >> >> >> _______________________________________________ >> aerogear-dev mailing list >> aerogear-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/aerogear-dev > > > _______________________________________________ > aerogear-dev mailing list > aerogear-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/aerogear-dev _______________________________________________ aerogear-dev mailing list aerogear-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/aerogear-dev