1. #1
    Sencha User
    Join Date
    Jul 2008
    Posts
    49
    Vote Rating
    0
    drabslab is on a distinguished road

      0  

    Default user role management

    user role management


    Hai,

    i am new to Ext but find it an exciting tool. I have a question though.

    Often, a toolbar, panel or window needs to be adapted depending on the user account and the role that a specific user has.

    as an example: a "public" user can not change a text while an "editor" user can and therefore needs a few extra buttons on the toolbar.

    How can this easiest be done with Ext?

  2. #2
    Sencha - Ext JS Dev Team Animal's Avatar
    Join Date
    Mar 2007
    Location
    Notts/Redwood City
    Posts
    30,507
    Vote Rating
    56
    Animal has a spectacular aura about Animal has a spectacular aura about Animal has a spectacular aura about

      0  

    Default


    Same way as with any web page.

    The server only sends what the use is allowed to see.

    And when a request comes in from the browser, only performs what the user is allowed to perform.

    I don't get the question really. ExtJs is just a means of creating fancy HTML, so how can the principle be different?

  3. #3
    Sencha User
    Join Date
    Jul 2008
    Posts
    49
    Vote Rating
    0
    drabslab is on a distinguished road

      0  

    Default


    Quote Originally Posted by Animal View Post
    Same way as with any web page.

    The server only sends what the use is allowed to see.

    And when a request comes in from the browser, only performs what the user is allowed to perform.

    I don't get the question really. ExtJs is just a means of creating fancy HTML, so how can the principle be different?
    Let my try to explain better (sorry for being long):

    Imagine to have a website with the following audience:
    • the general public: may see everything but can't change anything
    • contributors: may add content but not change/delete content made by other contributors
    • administrators: can add/change/delete whatever
    I am looking for an easy solution to make e.g. a panel with a toolbar with buttons to edit/add/delete... and have a simple way to configure the panel to hide the buttons from people who do not have the right to use them.

    If making such setups would be easy then I can send a, for the site, standard Ext config to the browser. As long as the user has not logged in he/she would only see the buttons appropriate for a public user, when logging in the browser would only receive the new user profile from the server and Ext would adapt all toolbars to the new situation.

    It is important for me to reduce the traffic (always lacking bandwith ;-) ) and i would like to get to a situation that after the initial pageload I only have small xml or JSON files moving between server and client

    Expressed in an "exagerated" way: I want to move closer to client-server than the classical web approach where the server determines everything, including building all the pages for every individual user.

    I am aware that i will nevertheless need to do the necessary checks on the server in case that a malicious one would manage to bypass the client side but that is a different issue.

  4. #4
    Sencha - Community Support Team mschwartz's Avatar
    Join Date
    Nov 2008
    Location
    San Diego, Peoples' Republic of California
    Posts
    2,053
    Vote Rating
    17
    mschwartz will become famous soon enough mschwartz will become famous soon enough

      0  

    Default


    A perfect example of why xtype 'ignore' would be useful...

    Currently, you either send configuration for the widgets that the server determines you should see based upon your role, or in your client code you conditionally add components to the UI based upon user role.

    No matter what you do, you should check user role on the server for Ajax requests to make sure nobody's trying to post stuff without authority (like a hacker might).

  5. #5
    Sencha - Ext JS Dev Team Animal's Avatar
    Join Date
    Mar 2007
    Location
    Notts/Redwood City
    Posts
    30,507
    Vote Rating
    56
    Animal has a spectacular aura about Animal has a spectacular aura about Animal has a spectacular aura about

      0  

    Default


    It's just the same.

    Where in the old days you would have some kind of conditionalized code outputting <a> elements or <button> elements, or not outputting them depending on user rights, now you have conditionalized code not adding JSON configs depending on user rights.

    An example might be

    Code:
        JSONArray toolbar = new JSONArray();
        if (curUser.hasRight("create-invoice")) {
            toolbar.put(new JSONObject("{text:'Create Invoice', handler: handlerFn}");
        }
    But it's not a different problem than it was before.

  6. #6
    Sencha User chalu's Avatar
    Join Date
    Feb 2008
    Location
    Benin City, Nigeria
    Posts
    480
    Vote Rating
    1
    chalu is on a distinguished road

      0  

    Thumbs up


    Quote Originally Posted by Animal View Post
    It's just the same.

    Where in the old days you would have some kind of conditionalized code outputting <a> elements or <button> elements, or not outputting them depending on user rights, now you have conditionalized code not adding JSON configs depending on user rights.

    An example might be

    Code:
        JSONArray toolbar = new JSONArray();
        if (curUser.hasRight("create-invoice")) {
            toolbar.put(new JSONObject("{text:'Create Invoice', handler: handlerFn}");
        }
    But it's not a different problem than it was before.
    I beg to disagree, I had a problem with this approach last year. Yes it worked but the issues were that :
    1. You will be duplicating efforts because there will also be some authorization code in the server no matter what, so managing the app may be cumbersome.
    2. It is not safe. A rule in Ajax apps is never to trust anything that runs in the client. Such a client side conditional block can be hacked.

    Funny, up till now I really can't think of a better solution aside from Animal's suggestion, but we have to admit that the way it was done in the past (a server script printing links or buttons appropriately) was more secure. Now with Ajax apps, especially where we build things with a lot of javascript we need a more efficient way to let client code delegate authorization queries to the server and then act accordingly, which may involve downloading (on-demand) scripts that will provide the needed functionality (more buttons on a toolbar).

    I just think this issue is more involved, instead of saying it's the same - nothing changed.
    I am still experimenting, I am persuaded that remoting (e.g with DWR) has a lot to offer in this regard. For instance, with DWR, my business objects and logic resides on the server, all I've got on the client are stubs delegating to remote objects (on the server), receiving response (e.g toolbar configs based on roles) and then calling callbacks to build the actual toolbar.

    This is still in theory, but I think it has credence.

  7. #7
    Sencha User
    Join Date
    Jul 2008
    Posts
    49
    Vote Rating
    0
    drabslab is on a distinguished road

      0  

    Default


    It is clear that no matter which "security" we apply at the client side we will still need a full security approach on the server side.

    I do not see my question as adding security to the client side but more as a fancy way to represent the consequences of the security issues (imposed on the server side) to the visualisation of panels, windows, toolbars on the client.

    I understand from the answers that Ext does not have any method to do this and animal has given a good example on how it has to be done right now (thank you).

    But I also tend to agree with chalu, something better might be envisaged for the future.

    thanks a lot for the answers

  8. #8
    Sencha - Ext JS Dev Team Animal's Avatar
    Join Date
    Mar 2007
    Location
    Notts/Redwood City
    Posts
    30,507
    Vote Rating
    56
    Animal has a spectacular aura about Animal has a spectacular aura about Animal has a spectacular aura about

      0  

    Default


    If you want something simpler, then maybe some kind of custom layout class might be for you.

    Given that you are going to have checks on the server anyway to validate the authority of any requests that come in, you might as well just send the complete UI description to the browser. Buttons could have any extra config options you like - they are all just applied to the object anyway.

    Then your customized layout manager could interrogate the properties of the Buttons (or whatever Component) before deciding whether or not to render the Component.

    Of course there are multiple layout classes, so how about an AOP solution?

    Add an interceptor to Component.render which decide whether or not to render a Component.

Thread Participants: 3