antiGuru
Is there any way to identify which client session/user is calling the subscribe method of a DataAdapter?
For instance, in the MessengerDemo, when a user subscribes to messages to himself, it is done with the "im_<nick>" item. This is defined by the client, so it would be pretty easy for a user to subsititue someone else's nick and thereby subscribe to another's messages instead of their own.
Now, I already verify the identity of the client in the notifyUser method in the metadataAdapter, is there any way to use the validated user/session information from there in the subscribe method, so I can allow users to only subscribe to their own feed?
Dario Crivelli
There is no risk that a client cheats by using an item name dedicated to another client, because the Metadata Adapter can validate the request against user information in getItems.
For the same reason, you don't need to have the client use client-specific item names, because you can decorate the item names with client information in getItems (despite we opted for the former technique in the Messenger demo).
On the other hand, thanks to the level of decoupling offered by getItems, we choose not to provide session/user information to the Data Adapter.
The Data Adapter has to find all the information needed to determine the item meaning packed in the item name it receives through subscribe
and it is the job of getItems ensuring that the item names are composed in the proper way.
