0

So tools like CASL make it easy to manage different permissions for users in Vue.js. However, I am wondering what is the best and securest way to access user information in Vue.js when using Laravel? So far I only followed Jeffreys tutorials on laracasts and he simply put these information in the global head-tag via JS:

<script>
    window.App = {!! json_encode([
        'csrfToken' => csrf_token(),
        'user' => Auth::user(),
        'signedIn' => Auth::check(),
    ]) !!};
</script>

Is this really sufficient or is there a better solution? Feels a little dirty, especially considering that users could simply change their roles to admin/moderator to see their frontend.

Thank you!

Hillcow
  • 890
  • 3
  • 19
  • 48
  • You mean users can change their roles? Don't you do backend validation of their roles before granting them right to perform some operations or request for resource? – Oluwatobi Samuel Omisakin Aug 04 '18 at 13:55
  • @OluwatobiSamuelOmisakin I do backend validation, yes. But if users change their role in the js above they will be able to see the admin frontend. They can't perform any admin action, but they are obviously not supposed to be able to see these things. – Hillcow Aug 04 '18 at 14:12
  • IMHO the cleanest way to exchange data between frontend and backend is via API. – Filip Sobol Aug 04 '18 at 14:55
  • @Laran so ajax for example you mean? – Hillcow Aug 04 '18 at 15:09
  • yes @Hillcow with Ajax, you need to setup api routes, tokens/key to recognize each users. The cost here is extra http request. – Oluwatobi Samuel Omisakin Aug 04 '18 at 16:07

0 Answers0