Hi!
This must be basic but I have researched a LOT and it doesn’t make any sense at all…
I have this Authentication class that, after a login it stores the user to the session. Ok.
Then I have a abstract definition of a view that on ‘enter’ checks if the current user is null and, if so, navigate
back to the login screen (to prevent acess to views).
The problem is that when my friend logs in the site, I can access the locked views in his account just by typing the URL
in the browser.
This is my authentication class:
http://pastebin.com/jt3xFurA
When any of my views ‘enter’ they call the ‘enter’ method that calls this from the abstract view:
@Override
public void enter(ViewChangeEvent event) {
main.updateCurrentUser();
}
Which is:
[code]
/**
* Updates the topbar current user or goes to login screen
*/
public void updateCurrentUser() {
titleBar.updateCurrentUser();
// Leave if no user
if (Authentication.currentUser() == null) {
if (!navigator.getState().equals(Navigation.LOGIN)
&& !navigator.getState().equals(Navigation.CREATEUSER)) {
navigator.navigateTo(Navigation.LOGIN);
}
}
}
[/code]Current user should return null for me since I havent logged in. My friend did but that should be in his session, shouldn’t it?