On 22 April 2010 05:08, Matt C <[email protected]> wrote: > I'm writing a goal tracking application. I'd like to write the goal > entity key into a form like this: > > <form action="/complete/<entity_key>" method="post"> > > However, I don't want a malicious user to be able to guess someone > else's ID and complete their goal for them.
When you mark user goal as complete you SHOULD verify that current user is THE OWNER of goal he trying to save. -- Regards, Vladimir Prudnikov. Email: [email protected] ------------------------------------ This message contains information which may be confidential and privileged. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender and delete the message. Thank you. -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
