Yeah your pseudo code is pretty much all you can do. But its not really securing the client side.. its more like displaying a clean user interface where a user dont see UI elements he actually cant use because of some missing permissions. An attacker will always have all UI elements.
Our UserRole object just holds a list of unique Strings, one for each permission the user role is allowed to do. When a presenter gets active it sends an array of permissions that are needed by the persenters display to secure this display to the server. The server then checks this array against the logged in user account and its roles and returns a boolean array with true, false for each permission it has checked (in the same order). Then we call display.secure(checkedPermissions[1], checkedPermissions[2], ...) and the display hides/adds/removes UI elements. So each Display that needs to be secured has a secure method, e.g. secure(boolean hasEditPermission, boolean hasDeletePermission, boolean hasCreatePermission). The Presenter then asks the server to check edit, delete and create permissions for a given user/role so that it can call the secure method with the correct values. If a display is more complex, we have much more parameters in our secure method. On 1 Nov., 23:16, zixzigma <zixzi...@gmail.com> wrote: > Thank you for your feedback. > Yes, i was very worried about the security on client-side. > However, as Jack pointed out, > what if you want to show certain features to certain users (based on > their role). > for example, if a user has admin privileges, show "DELETE"and "UPDATE" > button on the panel. > or if you have a StackPanel, you want to show the parts relevant to > user's role/access level. > can also be applied to Tabs, Trees, etc. > > when the request gets to the server, server can decide whether to > perform an operation or not, based on the user access privileges. and > rightly so, i agree. > however when it comes to showing relevant widgets on the client based > on user's access level, i dont think there is anything server can do > about it. > > this is what im thinking in pseudo code: > > if(user.canEdit() && user.canDelete()) > mainPanel.add(deleteButton); > mainPanel.add(editButton); > > or > > if(user.isClerk) > mainPanel.add(clerkWorkspace) > else if (user.isBranchManager()) > mainPanel.add(branchManagerWorkspace) > > am i wrong in my apoproach ? > how do you handle such scenarios based on your experience ? > > thank you for your insights. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
