Important Notice - Forums is archived
To simplify things and help our users to be more productive, we have archived the current forum and focus our efforts on helping developers on Stack Overflow. You can post new questions on Stack Overflow or join our Discord channel.

Vaadin lets you build secure, UX-first PWAs entirely in Java.
Free ebook & tutorial.
menu item security question
Say I do
menuItem.setEnabled(false);
which disables it client side.
What if a hacker triggers it, sends a valid request or whatever, is it also "disabled" on the server side, meaning it won't enter its registered command and execute the logic?
Or do I have to check like:
menuItem.isEnabled()
before executing the logic in the registered command for that menuItem?
Vaadin will take care of handling this kind of state for you until noted on in the book (and I think to remember that only modal windows can be bypassed and need some extra care)
There's no indication on server-side for me that the "enabled" boolean is used server-side
However, for someone to send a successful request, they need to know:
1. probably the code in this POST content:
81364ab8-01ab-4ba2-a32f-2f33c08a840711PID2clickedIdi
and I hope that isn't built client side, because it would be a security flaw
2. and the sessionid
To guess the combination of these two is almost impossbile with today's infrastructure.
It would have to be a man in the middle attack, in which case it isn't about the enabled/disabled thing anymore
Tudor Raneti: There's no indication on server-side for me that the "enabled" boolean is used server-side
I believe MenuBar.changeVariables() is where it is checked before changing the state of an item or executing its command.
You're right, was careless with following the variable around.
Not a total loss. I discovered Poster firefox addon while playing around, pretty useful at showing someone can hitch a ride on your session if they find out its id