I’m debating the best way to propagate fairly complex permissions from the server to an AJAX application, and I’m not sure the best approach to take.
Essentially, I want my permissions to be defined so I can request a whole set of permissions in one shot, and adjust the UI as appropriate (the UI changes can be as low level as disabling certain context menu items). Of course, I still need to enforce the permissions server side.
So, I was wondering if anyone has any suggestions for the best way to
- maintain the permissions and use them in server code
- have easy access to the permissions in javascript
- not have to make a round-trip request to the server for each individual permission
Thoughts?
If you have a clear set of permissions, like a ‘user level’ or ‘user type’, you could just pass the value down in a hidden field and access the value through the DOM. You could still do this if your permissions were more granular, but you would either have a lot of hidden fields or you would have to encode the information into XML or JSON or some other format.
You might set them as bit flags so that you could OR a single numeric value with a mask to see if the user had the permission for a specific activity. That would be very flexible and as long as you don’t have more than 32 or so specific ‘rights’, that would allow for any permutation of those rights in a very small package (basically an unsigned int).
For example:
Then a user with a permission of
0x000007could edit, create, and delete, but nothing else.In either case, I think you’re on the right track – make the request once per page invocation, store the permissions in a global JavaScript data structure, and go from there. AJAX is nice, but you don’t want to query the server for every specific permission all over your page. You would do it once on the page load, set up the presentation of your page and save the value in a global variable, then reference the permission(s) locally for event functions.