menu item security question

Say I do


which disables it client side.

What if a hacker triggers it, sends a valid request or whatever, is it also “disabled” on the server side, meaning it won’t enter its registered command and execute the logic?

Or do I have to check like:


before executing the logic in the registered command for that menuItem?

Vaadin will take care of handling this kind of state for you until noted on in the book (and I think to remember that only modal windows can be bypassed and need some extra care)

There’s no indication on server-side for me that the “enabled” boolean is used server-side

However, for someone to send a successful request, they need to know:

  1. probably the code in this POST content:

    and I hope that isn’t built client side, because it would be a security flaw

  2. and the sessionid

To guess the combination of these two is almost impossbile with today’s infrastructure.
It would have to be a man in the middle attack, in which case it isn’t about the enabled/disabled thing anymore

I believe MenuBar.changeVariables() is where it is checked before changing the state of an item or executing its command.

You’re right, was careless with following the variable around.

Not a total loss. I discovered Poster firefox addon while playing around, pretty useful at showing someone can hitch a ride on your session if they find out its id