One of the questions I had at the Chicago Code Camp in my Google App Engine presentation was about permissions on deleting values from table storage. In GAE, each item in the datastore has a globally unique key-absolutely unique across all entities in your application and, I believe, unique across all objects. The question was this: if I figure out an ID of your objects, can I cause a delete from a second GAE application?
Fortunately, no. At the time of this writing, I have an object (a picture) whose ID is ahJzc2VlbHktc2lsdmVybGlnaHRyDwsSCUltYWdlRmlsZRgCDA. I tried deleting that exact ID from a different application. The delete failed. So, the delete would only work if it comes from the application in question. That’s what I hoped happened, and it does.
Thanks for the great question!