[sevenzero]

I am well aware of that, its much much easier to account for this with regular HTTP handlers in other stacks though. The issue here is that you can call random functions if you guess the signature correctly. Even authorized/authenticated users can and will missbehave if given the chance.

[OkayPhysicist]

To clarify, when you say "random functions", do you mean arbitrary event handlers like "handle_event("my_event")", despite the intended UI not presenting a way to call that event at the moment? Or do you mean any function in the LiveView module?

The latter doesn't seem to be the case, and if it is would be alarming. The former is absolutely the intended behavior. The client can send events to the server, that's how the whole thing works. If certain events shouldn't be available at certain times, you need to check that server side, and that's going to be true in any http handler.

[sevenzero]

>"handle_event("my_event")", despite the intended UI not presenting a way to call that event at the moment?

Exactly this, didnt know how to phrase it as it was a while ago where i had this issue.

And thats absolutely not true for any HTTP handler as there's no way for people to easily break out of the intended behavior.

[OkayPhysicist]

In most other HTTP handlers I've ever used, event handling would be handled by API endpoints, which are trivial for the user to target directly just by going to the Network tab in their browser's developer console.