What if a hacker triggers it, sends a valid request or whatever, is it also “disabled” on the server side, meaning it won’t enter its registered command and execute the logic?
Or do I have to check like:
menuItem.isEnabled()
before executing the logic in the registered command for that menuItem?
Vaadin will take care of handling this kind of state for you until noted on in the book (and I think to remember that only modal windows can be bypassed and need some extra care)
There’s no indication on server-side for me that the “enabled” boolean is used server-side
However, for someone to send a successful request, they need to know:
probably the code in this POST content:
81364ab8-01ab-4ba2-a32f-2f33c08a840711 PID2clickedIdi
and I hope that isn’t built client side, because it would be a security flaw
and the sessionid
To guess the combination of these two is almost impossbile with today’s infrastructure.
It would have to be a man in the middle attack, in which case it isn’t about the enabled/disabled thing anymore
You’re right, was careless with following the variable around.
Not a total loss. I discovered Poster firefox addon while playing around, pretty useful at showing someone can hitch a ride on your session if they find out its id