...
- All methods should be POST, though if GET is required, have a whitelist
- Prevent CSRF by having a key (SESSIONID?) which is transmitted with each request in a form variable (will this work for dhtmlx GET requests?). Have a switch that turns this off
Ideas
- Overall search screen should allow search for all grouper objects
- Comboboxes should have filters (e.g. for which source)
Help framework
- Investigate using this: http://embedded-help.net/