1

First, my client side code is pure HTML, JavaScript, and angular.js. My server side API uses the Asp.Net Web API controllers.

Working off this similar example I am weary about passing user role information to the client. I am also weary about storing permission for views in my route configurations. My server side controllers and methods are built to inspect the incoming requests and authorize the specific user.

Should I worry too much about the client permissions if my server side will only allow authorized calls to be made? For example, let's assume a user and any admin can view that specific user's profile. If someone other than the user or admin tries to navigate to that profile the data will not be presented. An error from the server will be generated. The client side code can redirect the user if they are unauthorized.

I am curious to know what other developers have done for this type of scenario.

Community
  • 1
  • 1
DDiVita
  • 4,225
  • 5
  • 63
  • 117

1 Answers1

1

It primarily depends on your application specification, or your own desires. Passing user role information to the client helps you enhance UX in numerous ways. In addition to that, due to role check on different part of the front end, in theory users will not be able to do any request to your API endpoint which will end with a server error due to unauthorized request.

Let's throw some examples:

  1. You are having a link (in navigation bar let's say) to the administrative section of your app. You really don't want to expose that link to ordinary users, since they will eventually click on it. It will result with a unauthorized response from the server, and subsequently got redirected to the previous page. - In my oppinion that is completely unnecessary

  2. You have some edit form which can be editable both by users and admins. However, admins have few more fields to edit which are not permitted to the users. You really want to hide those fields, to prevent uneccesary unauthorized response from the server if those field were edited by ordinary user.

  3. You need to "fine grain" your permissions to the user's page. So you don't really don't want to show a link to details of that user if your role doesn't allow you.

  4. If you have stored roles in your client app, as a end user you won't need to the a server roundtrip in order to find out that you really aren't authorized to see something. Of course, you still must have server side authorization.

Keep in mind those scenarios are purely to give you example of few scenarios in which you will have a great benefit of having roles on your client side as well.

Darjan Bogdan
  • 3,780
  • 1
  • 22
  • 31