Access control in frontend with javascript

Question

Here's the scenario. I am developing a one page app:

• Most of the operations are achieved through ajax.
• The page should show different components in different user login state (admin, normal user, visiter...)
• There's so many animations in the page.

Does it mean that it would be necessary to check whether the user has logged in or not each time he clicks a button (some buttons can expand to a menu, whose components are partly shown according to the login state)?

Are there any better possible solutions?

Answer 1

It is probably a good idea to use a UI object (with for example menu options) based on user privileges. Your server side code can return some JSON which includes only menu options that the current user can see and you use that object to construct the front end for that user. So if a user clicks a button to expand a menu you don't have to check anything just display what was returned from the server initially.

You should check permissions every time someone performs a "meaningful" operation in the system such as rename an object or request some data or delete something. This check can be easily built in into your backend API...

Answer 2

Yes, to be secure you need to make the server authoritatively decide what the client can and CANNOT do. Because javascript is run client side, anyone can modify it and make it run how they want. The server is what you control, and you must use this to ensure that any requests by the client are valid and then follow through on or reject them accordingly.

Servers should almost always be authoritative in this way.

Answer 3

Yes, you should. Only the server knows who should and should not do certain actions. It's mandatory to do checks on the server-side. Never trust the client.