Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Propagate Permissions to Javascript

I'm debating the best way to propagate fairly complex permissions from the server to an AJAX application, and I'm not sure the best approach to take.

Essentially, I want my permissions to be defined so I can request a whole set of permissions in one shot, and adjust the UI as appropriate (the UI changes can be as low level as disabling certain context menu items). Of course, I still need to enforce the permissions server side.

So, I was wondering if anyone has any suggestions for the best way to

  1. maintain the permissions and use them in server code
  2. have easy access to the permissions in javascript
  3. not have to make a round-trip request to the server for each individual permission

Thoughts?

like image 301
jvenema Avatar asked Oct 28 '08 20:10

jvenema


3 Answers

If you have a clear set of permissions, like a "user level" or "user type", you could just pass the value down in a hidden field and access the value through the DOM. You could still do this if your permissions were more granular, but you would either have a lot of hidden fields or you would have to encode the information into XML or JSON or some other format.

You might set them as bit flags so that you could OR a single numeric value with a mask to see if the user had the permission for a specific activity. That would be very flexible and as long as you don't have more than 32 or so specific "rights", that would allow for any permutation of those rights in a very small package (basically an unsigned int).

For example:

0x00000001 //edit permission
0x00000002 //create new thing permission
0x00000004 //delete things permission
0x00000008 //view hidden things permission
   .
   .
   .
0x80000000 //total control of the server and everyone logged in

Then a user with a permission of 0x000007 could edit, create, and delete, but nothing else.

In either case, I think you're on the right track - make the request once per page invocation, store the permissions in a global JavaScript data structure, and go from there. AJAX is nice, but you don't want to query the server for every specific permission all over your page. You would do it once on the page load, set up the presentation of your page and save the value in a global variable, then reference the permission(s) locally for event functions.

like image 50
CMPalmer Avatar answered Nov 20 '22 06:11

CMPalmer


If you transmit the permission structure to the client as a JSON object (or XML, if you prefer), you can manipulate that object with the client-side code, and send it back to the server, which can do whatever it needs to validate the data and persist it.

like image 27
pkaeding Avatar answered Nov 20 '22 05:11

pkaeding


I don't necessarily see it as the most "correct" solution, but would it be possible to keep all the permission stuff on the server side, and just serve the updated UI rather than some kind of JSON permissions system?

You'd have to make the decision based on how busy and intensive your app expects to be, but definitely a decision worth making either way

like image 1
Gareth Avatar answered Nov 20 '22 06:11

Gareth