|
As others have said, the server receives a function call request and decides what to do with it. Whether or not a user or session is currently authorized to perform the action they want is something you evaluate inside the function -- but you E.g. https://github.com/beyond-all-reason/teiserver/blob/f6ff6d68... here, we are in a function call that handles requests to send a chat message into a game lobby. We updated the flood protection timestamps above, and then determine if the user has permission to send the message, and finally if they are speaking just as a client or via the Coordinator. Then we reply the updated state back to the websocket. This is what I found beautiful about GenServers, by the way. It's a very explicit "starting state, consume from queue, and each message handling function returns the next system state", which makes it very clear that a state transition does not occur unless you reach the bottom of the event-handling function call, and at that point, it's an atomic state transition of the entire internal state. In summary: don't trust the client. Independently determine, server-side, in the function itself, if the function call you just received is valid given the current state, not rate limited, etc, and then from there you can choose if you want to act on it. Disclaimer: Elixir noob, but I have been using Teiserver to learn. |