Browser support? #55
Comments
|
RBAC on the client side? For a security issue I don't think it's a good idea. |
|
@alejosv Why do you think so? We have proper data protection on the server. It's not about security but more about code reuse. We use rbac on client side in production for at least a year to guard some routes in SPA and hide/display some blocks based on user permissions. For example, if you can't create a post you won't see a button |
|
RBAC is not a UI/UX pattern, good practice or design, but rather, it is part of the INCITS 359-2012 standard. In a simple way, the RBAC must define which role has permission to which accesses. Because the management of users, roles and permissions are on the server side, the management must be in the same way. The response sent by the server should not hide/show elements of the DOM, since it can be manipulated by anyone. Items must be created or not created based on their role. Angular and Vuejs have directives for these cases and common layout patterns like MVC allow in the view to create or not elements in the DOM, this avoids exposing elements that give access to non-granted resources or unwanted shares. This way a client-side RBAC is not necessary and can be a major security breach. |
|
@alejosv you are right, but you can use it also just for simple cases like "can I show this button/navigation"? The backend can return "You are not allowed" when the client try to read something without rights. |
This library is for
nodebut we used it in browser as well.The only issue we have is that currently library supposed to work on
node@6+and up and as result some of the code throws errors in older browsers (IE, etc) since it contains new ES6 syntax.I think it can be configured to support browsers by few lines of code in
.babelrc.I can create PR for that
The text was updated successfully, but these errors were encountered: