0

I am currently working on a large application in Backbone. I am posed with the challenge of implementing field level permissions on the form.

One way is to trick the text API of require.js and have it fetch views/partials from the MVC controller and implement permissions on the server side. This way I will get the required HTML (as that will be compiled code returned from the server) that I can render.

Is there any better way to do it in Backbone?

Salman
  • 3,137
  • 4
  • 23
  • 31
  • I don't really understand your question. Are you trying to change which fields on a form are visible depending on what kind of user you have? Are you trying to restrict what data is displayed from the server depending on the kind of user? Are you trying to validate the inputs to the form depending on the kind of user? Some combination there of? – Andrew Hubbs Jan 04 '13 at 06:52
  • What does "the text API of Backbone" mean and how does one "trick" it? Also, relevant code snippets will make solving your problem much easier. – Andrew Hubbs Jan 04 '13 at 06:53
  • @AndrewHubbs Yes i need to restrict displaying of field/data on a from and in some cases certain forms depending upon user permissions. Validating the input is same for all users its just some users are not allowed to view/edit the critical information. – Salman Jan 04 '13 at 07:04
  • And that text api is not of backbone its from require.js (my bad). What it does is it fetches the HTML views from the server and you can then bind it with Backbone model and render it. To trick it means instead of mentioning physical paths of HTML files i mention the path as done with MVC; controller will catch it and then will returned a compiled HTML in form of a partial. I hope i made it understand this time? :) – Salman Jan 04 '13 at 07:08
  • Cool. I understand your question now. Are you rendering your views via client side javascript templates or is the server returning fully rendered HTML for the forms in question? – Andrew Hubbs Jan 04 '13 at 07:10
  • Well.. its a mixture of both :) Since its a comparatively large application there are certain scenarios where we get server to return fully rendered HTML and in some cases we just use js templates – Salman Jan 04 '13 at 07:16
  • Cool. That makes sense. Unfortunately, that basically means you will likely need to duplicate a good bit of the rendering logic. – Andrew Hubbs Jan 04 '13 at 07:19

1 Answers1

4

First off, independent of what you have Backbone do, you must restrict the data being return from the server.

For example, if you have a User object that has sensitive fields like email that are only available to the owner user then the server must be responsible for not sending that information to the client. Likewise, if fields like email are not allowed to be created by random users then the server must filter or validate the client submitted data.

On the client, you will want to control the display based on the same user permissions. I would do this by keying off of either the fact that sensitive data was not returned from the server to begin with or some specifically set flags that indicate a user's permissions.

Andrew Hubbs
  • 9,338
  • 9
  • 48
  • 71