1

So, I am starting a new Aurelia project running on AspNET Core 2.1 (Coming from DurandalJS)

simple question. if I cannot use controllers to serve my views (which seems to be almost impossible to do with webpack, Aurelia, ect), and my views are static HTML, how do I hide a simple button on a form if a user is not an admin? (yes, I do know the Aurelia 'if' syntax). How does my client 'know' the users roles? Do we make a webapi call and get them? is that secure? now anyone 'watching' is aware of certain roles?

Should be simple right? Obviously in my past project we rendered the view in cshtml and just did not "write" out the html based on role membership.

this does not need to be complicated, or rocket science. Just looking for a simple point in the right direction.

JCircio
  • 525
  • 2
  • 7
  • 18
  • 1
    Hiding a button isn't security. Checking to see if a user can do what they are actually attempting to do is security. As far as showing/hiding UI based on the user's rights and roles, yes, it's perfectly fine to call and get the current user's info. Yes, people can see it. Yes, they can alter it in flight or in the console. Yes, they can see UI not meant for admin users. Yes, they can attempt to call APIs that only admins are allowed use. But if you assert they are allowed before performing actions, then it doesn't matter how they twiddle the UI. –  Sep 17 '18 at 14:50
  • 1
    @will Yes, you are correct. Lets say the button calls a web api. as long as that endpoint has [Authorize ECT] then we are good server side. so, basically what you are saying is load the roles. cache them. Show hide elements based on roles client side. no matter. fair enough. is that the general opinion – JCircio Sep 17 '18 at 14:55
  • @JCircio yes, this is the way to go.. – avrahamcool Sep 17 '18 at 16:39
  • 1
    Having a web api in combination with a single-page-application (SPA) you need to have multiple API requests to get the needed information. In my opinion this is a big advantage that the application only requests information where it is needed. Maybe have a look in https://jwt.io/ and https://github.com/paulvanbladel/aurelia-auth – SNO Sep 18 '18 at 05:27
  • @JCircio you can use webpack + aurelia + asp.net core, theres a built in template with aurelia-cli if you choose custom and select the 'ASP.NET Core' option – jbockle Sep 25 '18 at 01:11

0 Answers0