let's expose following entity , properties client application:
employee {firstname, lastname, address, socialsecuritynumber}
in client application, display or subset of properties depending on user privileges.
however since queried on employee entity, of properties sent client-application. if decided hide socialsecuritynumber users, still able see value coming server, checking content of response.
what approach should take prevent ? i'm thinking use projections different according who's logged in....
but insight appreciated.
especially sensitive data, send absolutely required screen @ hand, , send data user allow see. go path of data transfer object or projections.
Comments
Post a Comment