-1

For example I have this part of code in my component's template:

<input type="text" class="form-control" [(ngModel)]="profileUser.role" name="role" [disabled]="!isAdmin">

And in my component's module I have:

if (this.currentUser.role == "Admin")
{
  this.isAdmin = true;
}

I want to give right to edit this input field only for those users, who have "Admin" role, and to disable this filed for other users (but to show them current value of profileUser.role).

Is it safe solution or it is possible to hack input tag properties and gain access to disabled field and than change its value and update it with Submit button.

If second statement is correct, please suggest the safest way to show such data on ngForm, bounded with ngModel two-way binding.

Sergey Danishevskiy
  • 71
  • 1
  • 6
  • 2
    Yes, of course the user can do whatever they want on their computer. They can change the script, the templates, and the values to anything with little effort. And no, it doesn't matter at all because surely you check the user's role on the server so even if they change the input field it doesn't do anything. – JJJ May 06 '17 at 18:42
  • Thanks, I got it. – Sergey Danishevskiy May 06 '17 at 18:46

1 Answers1

0

You must protect your data in both sides: client and server. Client code must control data output (but it can be hacked on client side in many ways) and data input - data validation.

But access to and storing of all vital data must be double-checked on server-side.

Sergey Danishevskiy
  • 71
  • 1
  • 6