| > Is 3) not inherent to all web development in that authentication on the client is 'disconnected' from users/ permissions on the server anyway? Server side components directly call server code, unlike client components, which use an HttpService. Compare for example https://dzone.com/articles/understanding-server-side-blazor, where: > The Blazor app is hosted by an ASP.NET Core app, which also sets up the SignalR endpoint. Since the Blazor app is running on the server, the event handling logic can directly access the server resources and services. Vs. the actual official samples, where an HttpService is used to access data from a controller: https://github.com/aspnet/samples/blob/master/samples/aspnet... ie. Blazor server side components are indeed disconnected from users/permissions, by design... it just happens that they can also call arbitrary server side code, which is obviously a) not portable, and b) hugely unsafe. There's an issue in the issue tracker for this, but basically, the tldr; is, no, you shouldn't call arbitrary server side code... but, you can, and so people are doing it. ... shakes head ... (edit: Oh look, another great one, https://social.technet.microsoft.com/wiki/contents/articles/... > We will invoke the methods of EmployeeDataAccessLayer class from our service. The service will be injected into our components and the components will call the service methods to access the database. ...) |