I have a web app which is part Rails and part Backbone. Some things such as a commenting system I have implemented are written mostly in Javascript on the client side. The Rails backend simply handles persistance by passing JSON back and forth.
When I render pages from the server, handling who gets to see what is easy. I can say things such as
<li class="comment">
<span class="comment_text"><%= @comment.text %></span>
<% if user_signed_in? and current_user == @comment.author %>
<a class="delete" href="some delete url">Delete Comment</a>
<% end %>
</li>
And that will only render the link to delete a particular comment if the current user is the comment’s author. No problem.
However, now that I’m rendering comments on the client side using JavaScript templates (which are cached afaik), I don’t have access to current_user. I can’t tell if the user currently using my app is the author of the comment or not so I can’t control what he gets to see.
Sure, he won’t be able to delete the comment either way because I authorize on the server as well but I’d rather not show hin the link in the first place.
How can I accomplish this?
I’d love some links to resources on this topic as well as answers because I can’t seem to find any, even though it seems to me like this is a topic that should have been covered in countless blogs.
I prefer using following approach.
First, in your layout, generated on server-side, pass current user’s data that you’ll need on client side:
It will be accessible in your EJS templates. Now in template, you can make the same check as on server-side: