0

I have a backend with a simple RBAC implementation. We have a list of permissions, each permission is associated with a list of roles, each user is given one or more roles.

Is it ok to send this permissions/roles mapping to the browser, so that we can use it in the client side SPA (to hide/show some links/pages, avoid sending a request to the server, ...) depending on the connected user.

Of course we will still perform permission check on the backend.

Mohamed Ramrami
  • 101
  • 2

1 Answers1

2

It's fine as long as it's for convenience only and does not serve a security function. And if exposing that information does not create a vulnerability in your system.

Anything you send to the client can be manipulated and exposed by the client.

You want to ask yourself, "if I was malicious and I had this information, how could I abuse or misuse the system?"

schroeder
  • 129,372
  • 55
  • 299
  • 340