0

I'm building a new ExtJS4 MVC application with Web API (server side) that will have login and actions based on a user role. For example instead of having just roles like:

  • Admin
  • Administrative
  • HumanResources

I have a collection of actions and access types like

Action               (Access Type)
  • Person.Delete (Full Access)
  • Person.ShowDetail (ReadOnly)
  • Report.Person.Accouting (None)
  • etc...

I have two approaches:

  1. Implementing the validation Server side (Web API Methods)
  2. Implementing the validation Client side (ExtJS)

If I choose to go for server side, then the user will see all the buttons, fields, etc. but for example if there is a "Print Report" button and if the user hasn't authorization to print the report, the user will click the button then a server side request is made and the Web API will check if the current user is allowed to access that method or not and then return a message to the client.

I'm not a big fan of server side approach because the user will hit the server all time even when he is not allowed to do a some action.

So I don't really know how can I implement this approach in order to show, hide, disable buttons, fields, etc. maybe is a mixture of both approaches.

Hope someone can give me a best understanding.

VAAA
  • 14,531
  • 28
  • 130
  • 253
  • Interested to see responses to this. Off the top of my head, I'd probably create some global method (or methods) that could be called on various components that could determine some state (hidden/visible, active/disabled, etc) based on the user's roles and access levels. You could basically map al the known roles/access levels to various keys that could be passed into your verification method. – existdissolve Apr 09 '14 at 01:39
  • How about to keep access controls in an array then query this array based on the component type? For instance, `Person.Delete` has three things like read,update,delete. If our array like this `000002000000` we know that 6th values of the array equal to our Person action. As a result, 6th value of the array is 2 which means user will do everything. If, the value equal to 1 then user only do update and read actions. It's juts an idea... – Oğuz Çelikdemir Apr 09 '14 at 10:10
  • This approach sounds OK, the only problem is how to implement that on Extjs :) Thanks – VAAA Apr 09 '14 at 17:38
  • @VAAA, there is an old entry: http://stackoverflow.com/questions/1775695/how-to-use-ext-js-for-role-based-application , I ended up implementing security both on client and server side. That makes your application secure. If you have security on client side only, there are ways to bypass it. Its better to have checks on the server side as well – Abdel Raoof Olakara Apr 23 '14 at 05:22

0 Answers0