1

I have a pretty hard time to find out how to properly manage javascript in a page for different type of user.

Let me explain a bit: We have a page that's is visible for everyone but some have the right to edit content on the page directly and some just have a read-only access. This page is really javascript heavy. (4k+ lines or so) And inside this javascript, I have php conditions deciding, based on user rights, whether or not it should display this or this function. The problem is maintenance of the code.

Because I have many types of user rights and a file that is huge, I struggle with the process of refactoring some function including those right. And for security purposes, I have to be pretty precise about what I'm doing.

Since having a js file for each user right type is not maintainable at all in my case. I'd like to know if you guys have some kind of genius idea to help me make something readable and maintainable.

Along in this case, how could I include a system that minimize my JS including this right management.

Example of code I have :

<?if ( $right_to_invite ) { ?>
    <div class="admin">
                // Magic inside
    </div>
<?}?>
// else i just don't display it

And since my javascript doesn't have to be displayed if you don't have right for it

<?if ( $right_to_invite ) { ?>
    function invite(){
     $.post(.......) // again magic ...
    }
    $(".invite").on("click",invite());
<?}?>

And it goes on and on and on ....

CinetiK
  • 1,748
  • 2
  • 13
  • 19
  • Try name spacing for each permission type – scrowler Dec 13 '13 at 11:16
  • You could display everything and include all JS for everyone, but then build in a condition that checks for user rights after a user-sensitive event has been triggered. – user2959229 Dec 13 '13 at 11:17
  • try to use an MVC pattern and check permissions at server side – cardeol Dec 13 '13 at 11:19
  • 1
    Just so you know, a malicious user can emulate the actions of a higher-privileged user using only their browser javascript console. Not providing client-side functionality for lower-privileged users does not provide any real security. tl:dr you need to make sure your server has logic to prevent users from performing actions they shouldn't. – Slicedpan Dec 13 '13 at 11:19
  • I really want to avoid any possibility for someone to get elevated privilege because I let him have full access of my JS. I do server-side checks but I'd prefer not giving any hint about my structure since this is a pretty sensitive app. – CinetiK Dec 13 '13 at 11:19
  • Problem is I have basic fundamental security knowledge and therefore I'm applying the "don't try this at home" by trying to be simple and obviously it's not maintainable that way. – CinetiK Dec 13 '13 at 11:26
  • 1
    Maybe you could use an ajax based solution. With a hidden iframe you can return from the server the required javascript and bind it to the main window – Michel Dec 13 '13 at 16:03
  • That would be an affordable solution as well. I might dig that a bit. If some of you have some examples for me that would be great. – CinetiK Dec 16 '13 at 07:44

0 Answers0