13 May 2009 6:58 AM #10
Perhaps this would be best done by allowing users to provide a filter in Direct.cfc getAPIScript immediately before outputting the API spec. What do you think?
EDIT: As I posted above the invokeCall method in the CFC should be checking to make sure that ExtDirect attribute is set on both the CFC and Method.
As another poster mentioned all of your other security constraints should be handled at the server-side just like we've done in the past in a typical Ajax app.
Last edited by aconran; 13 May 2009 at 7:01 AM. Reason: added some stuff...Aaron Conran
Sencha Architect Development Team