0

I am used to using cancan in my rails views to show/hide visual elements depending on the users permissions. eg showing a 'Add New Post' link to users that are allowed to add new posts.

In a backbone app, where I am sending the entire app to the client at the beginning, how can I ensure that these elements are shown. Obviously I can hide them based on a attribute on a user model. But it would be possible to override this attribute on the client side.

Just wondering what others are doing to secure their apps from people messing with the js on the client. Or am I being too secure (being that there wouldn't be any data sent to the client as the authorisation is still working right on the server).

robzolkos
  • 2,196
  • 3
  • 30
  • 47

1 Answers1

3

I wouldn’t say you’re “being too secure” exactly, but certainly you must rely on your backend to prevent unauthorised activities. Even before you started using a client-side framework, someone could have simulated an “Add New Post” link that you would have had to prevent access to on the server, nothing has changed.

Buck Doyle
  • 6,333
  • 1
  • 22
  • 35
  • Yeah, I think I was paranoid about users of certain roles potentially seeing UI of other roles. But thats not as concerning as seeing data. Thanks for your response. – robzolkos May 12 '12 at 14:02
  • Having unauthorised users see UI that has no back-end support but no privileged data isn’t concerning at all, is it? – Buck Doyle May 12 '12 at 21:54
  • 1
    I'd say it depends on the application. Less concerning for an internal application with two different roles versus a webapp for public use (in which case I'd be very concerned). But concerns aside, how would you tackle the display of role based UI on the client side? – robzolkos May 13 '12 at 05:43