Printable View
I would like to hear someone who is in favor of JS MVC explain how you deal with security.
If your controllers contain business logic and they are all JS then you have a security problem.
Or are people backing their controllers with other (non extjs ) controllers ?
Client-side Javascipt is inherently insecure. The server should always be responsible for security in a web application.
I consider it acceptable for someone poking around in my javascript to break their instance of the application, so client-side security need only go as far as the app not breaking in normal use. The server must enforce correct access control and validation for all calls even if the client side also implements it. Any business logic in client-side JS is subject to inspecting and tampering, regardless of style or framework used, so treat it as just user-experience sugar on top of your secure API calls.