I am wanting to display parts of a page depending on the permissions of the logged in user. My template would look something like:
{{#if hasPermissions permission=“SectionA”}}
Section A code…
{{/if}}
{{#if hasPermissions permission=“SectionB”}}
Section B code…
{{/if}}
My template helper would contain a method called ‘hasPermissions’ which takes as a parameter ‘permission’. The result of the method would be a boolean true/false as to whether the user has permissions.
What I need to know is whether an end user would be able to either edit the hasPermissions code when it is client side or put a break point on and change the result before it is sent back? It is extremely important that users are not able to hack the client side code to allow them to see content they are not allowed to see.
If it is the case that users can edit the code - what is the way to achieve displaying sections of a page based on permissions?
All code on the client can’t potentially be changed or viewed, which makes the most important line of security of your app the endpoints between your client and your server - publications/methods on the server/both
You’re asking wrong question. The right one would be “how can I prevent the client from getting data it shouldn’t have”. And the answer would be “restrict this data in your publication, on the server”. This way you don’t have to worry if the client tries to hack anything, because it won’t have access to restricted data.
Thanks for the reply - I agree with your point about restricting the data in my publications. However, what if I wanted to prevent users going to a particular page based on their permissions?
My current thinking would be very similar to my original example:
{{#if hasPermissions permission=“PageA”}}
Page A content
{{else}}
You do not have permissions to view this page.
{{/if}}
I would have the same concerns about hacking the ‘hasPermissions’ template helper method on this example. Is there a secure way to do this?
