An easy way to prevent hack by changing DOM in browser?

Question

I have a form which lists user's properties, i.e. Role, Group, IsApproved, ... For admin, these are enabled and can be changed. But for regular user, these are just for display purpose. The program disables these in when form loaded.

The problem is: for a regular user, once they see these, they can use the developer tool, to change the value in DOM. For example, Role is a drop down list, it shows: Admin/GroupAdmin/User:

<select name="ctl00$MainContent$ddlRoles" id="MainContent_ddlRoles" class="aspNetDisabled" style="width:100px;" disabled="disabled">

<option selected="selected" value="Admin">Admin</option>
<option value="GroupAdmin">GroupAdmin</option>
<option value="User">User</option>

</select>

Now, user removes the

disabled="disabled"

Then the ddlRoles is abled, and the user can change it.

My question is: Do I have to check the permission when update the database? or, is there a simple way in asp.net to prevent this?

Thanks

Answer 1

You can't protect DOM from changing it in any browser, obviously you need to check user permissions on server.

You can set a conditional in code, so the page renders for user without this element if he has not any permissions, but you should always add server-side permission check when you update the database, because client side can always be edited or 'hacked'.

Answer 2

Because this seems like mostly a client app, the type of authentication you are doing in the browser is going to mainly be hiding and disabling features. This seems to be exactly what you are doing.

You will need to do server authentication to actually secure your endpoints and prevent calls being made by users who are just manipulating your front-end.