How does the front end control user permissions?
my idea is to add admin:true, to the background user library, and then the foreground first verifies whether the login user is admin,. If it is a conditional rendering of something to be used by admin, it feels very flawed. Please tell me a little bit about how the rights management is designed.
after reading your answers, I have an idea. Set a global variable in react to display permission operations. When passing data to the background, the background first verifies whether the user of the current operation has amdin permissions.
Let's talk about your views on permissions first:
what the front end needs to do is to prevent normal users from sending out api. without permission. what the backend needs to do is , do not perform data operations and return data in certain formats (to make the front end judge and prompt) when receiving requests from users with mismatched permissions.
then there are only two things about permissions at the front end :
.
- the first category, hide the operation button without permission or click the button without permission without prompting the request directly, or load the data according to the permissions of the current user.
- the second category, which cooperates with the back-end authentication of permissions to carry out the login process or with some authentication for each request.
say a practice:
because you feel that the problem you encounter is the first category, store a copy of the user's permission data (which can be judged or requested from the back end) after the user logs in. Similar: {admin: true}
. Or {lookup: true, operate: false}
. Or what permissions you have: ['lookup',' operate', 'create',' delete', 'modify']
. Then judge the data based on the data in the interface involving permissions, or before sending requests involving permissions.
permissions should be controlled by the backend at any time. At most, the frontend is displayed on demand. Whether the user has the permission or not should be judged by the backend. Never trust the data transmitted by the front end. The front end is not a secure environment.
token learn about
use token. When logging in, write the current user's permissions in session, and then directly judge and do different operations where needed.
permission control is handed over to the backend.
the front end just makes the switch display, and then it is safe to send a request every time you enter the page and get the permission switch from the back end.
1. If it is admin, the front desk directly determines the control, allowing it to have all routing and operation permissions, without going through the background
2. If the admin, does not need the cooperation of the foreground and the background, the foreground has a page for permission assignment (this page can be operated by admin). After the values are collected in the background, when other users of the foreground log in, they can obtain their relevant permissions
.