0

I have a simple yet not so easy question. (So, I suppose)

I have a current DurandalJS application in production. I am generating my views using C# Razor syntax. So, I am still using my controller to pass the HTML to the client. Rather complicated to get setup using routes/areas/etc but it has been working.

I am using server side for only one real reason. (other then validation, but we can ignore that for now as I am sure model validation has improved and there are ways to handle this now)

Lets say I have a button. And I only want to show that button on the screen if the user is an admin. Now, of course I can use KnockoutJs (or Auelia/Angular/whatever) to find out the users roles and "hide" the button. But as far as I know, the button is still inside the HTML? (it is in Durandal, not sure if the newer libraries handle this different). So, currently I use server code to do the check then the HTML gets rendered without the button.

Knowing how many people use SPA type libraries, what are most of you doing for simple use cases like this?

Oh, yes, on the server for the return API call, we would have security anyway, so assuming someone activated the button it would not work anyway, I simply do not want my users ever seeing it.

ProgrammingLlama
  • 36,677
  • 7
  • 67
  • 86
JCircio
  • 525
  • 2
  • 7
  • 18
  • 1
    the question here is too broad, because it makes assumptions about the behavior specifics of multiple frameworks which each have their own implementation details. For example, in AngularJs, there is `ng-if` and `ng-hide`, one of which does not render if the condition is false, while the other does. – Claies Nov 29 '17 at 01:08
  • You want to hide the button. But the API call really should be blocked on the server side. – Vaughan Hilts Nov 29 '17 at 01:10
  • in general, the "secure" contents are usually in partial HTML templates that are only downloaded if the user is allowed to view the content, but the way this is implemented in each framework you tagged is completely different. – Claies Nov 29 '17 at 01:11
  • in knockout: http://knockoutjs.com/documentation/if-binding.html: "`if` plays a similar role to the `visible` binding. The difference is that, with `visible`, the contained markup always remains in the DOM and always has its `data-bind` attributes applied - the `visible` binding just uses CSS to toggle the container element’s visiblity. The `if` binding, however, physically adds or removes the contained markup in your DOM, and only applies bindings to descendants if the expression is true." – Claies Nov 29 '17 at 01:15
  • "users" that dig though the DOM with dev tools can find way more things than just hidden button... You may want to reconsider who is target audience of your site as there is some chance that most (if not all) of them have no idea about inner workings of browsers... – Alexei Levenkov Nov 29 '17 at 02:47
  • Some great comments. thank you. – JCircio Nov 29 '17 at 12:37
  • @Claies Yes, I have stood up an Angular 4 project, and have noticed the `ng-if` and `ng-hide` difference. However, I did not know about the knockoutJS `if` binding removing from the DOM.. – JCircio Nov 29 '17 at 12:43
  • @Claies I am curious about the "partial HTML templates" you mention. is that MVC partial pages you speak of? or some JS (Durandal/Angular/ect) client side template? Im assuming the latter of the 2 since in practice you are trying to rid yourself of having razor generate the views in a SPA. Just trying to get an idea how others are using an SPA framework/library/ect to handle scenarios like those mentioned. – JCircio Nov 29 '17 at 12:52

0 Answers0