1

I've read several articles about authorisation handling in rest api + single page applications. They mostly suggest following: When front end app is initialised, retrieve user roles and check roles in client side and apply logic based on it, show/hide particular controls based on roles, etc.

But I didn't find any article about more complex authorisation logic.

For example: there is rest api with Role Based Access Control (I'm using Yii2 rbac). There is front end app (I'm using angular). In this app, list of posts are listed. So based on user role, "Edit" button should be visible/hidden for each post in this list appropriately.

There are roles:

  • Admin

  • User - logged in user

  • Guest

Problem is, "edit" permission for user which has "User" role depends on context (business rule) - if user is author of post, he allowed to edit post, elsewhere it is forbidden.

So what is best practice to handle such type of authorisation in front end part of application?

Provide permissions for operations for each entity in response when user performs call to rest endpoint?

Teimuraz
  • 8,795
  • 5
  • 35
  • 62
  • The roles allow to do certain things if the user has a role, but it can't control which objects the user is an author. If you mark such objects somewhere on the user personal page and allow the author to edit them. – Roman C Jun 03 '16 at 19:59
  • @RomanC, how would you handle "Edit" permissions in such case when list of posts are displayed and user is author of several posts in that list? Ok, I can compare current user id with post author id on client side, but this is relatively simple scenario, what about more complex scenarios, for example post edit time has been expired, user is blocked, or any other non trivial logic. – Teimuraz Jun 03 '16 at 20:11
  • I'm not sure you can handle non trivial logic without a code. Even writing such code is not trivial task and in most case it's delegated to the upper level framework, but you are pretending to flack it with angular flafing in code with no option that makes it difficult to guess and makes it off-topic. – Roman C Jun 04 '16 at 11:37
  • Got the same problem today, with an VueJs spa frontend and a PHP/Laravel backend: no problem on checking permissions on rest api calls, but lacking of tutorials on handling permissions for navigation or page sections visualization. What i came out with is to return an auth token along a list of permissions (strings) to handle rest api calls with the former and navigation/page sections visualization with the formers, but that's just an idea – fudo Jun 10 '22 at 08:22

0 Answers0