Propagate Permissions to Javascript

 

I'm debating the best way to propagate fairly complex permissions from the server to an AJAX application, and I'm not sure the best approach to take.

Essentially, I want my permissions to be defined so I can request a whole set of permissions in one shot, and adjust the UI as appropriate (the UI changes can be as low level as disabling certain context menu items). Of course, I still need to enforce the permissions server side.

So, I was wondering if anyone has any suggestions for the best way to

  • maintain the permissions and use them in server code
  • have easy access to the permissions in javascript
  • not have to make a round-trip request to the server for each individual permission

    • Thoughts?

    If you have a clear set of permissions, like a "user level" or "user type", you could just pass the value down in a hidden field and access the value through the DOM. You could still do this if your permissions were more granular, but you would either have a lot of hidden fields or you would have to encode the information into XML or JSON or some other format.

    You might set them as bit flags so that you could OR a single numeric value with a mask to see if the user had the permission for a specific activity. That would be very flexible and as long as you don't have more than 32 or so specific "rights", that would allow for any permutation of those rights in a very small package (basically an unsigned int).

    For example: 

    0x00000001 //edit permission
0x00000002 //create new thing permission
0x00000004 //delete things permission
0x00000008 //view hidden things permission
   .
   .
   .
0x80000000 //total control of the server and everyone logged in

    Then a user with a permission of 0x000007 could edit, create, and delete, but nothing else.

    In either case, I think you're on the right track - make the request once per page invocation, store the permissions in a global JavaScript data structure, and go from there. AJAX is nice, but you don't want to query the server for every specific permission all over your page. You would do it once on the page load, set up the presentation of your page and save the value in a global variable, then reference the permission(s) locally for event functions.

    如果您将权限结构作为JSON对象(或XML,如果您愿意)传输给客户端,则可以使用客户端代码处理该对象,然后将其发送回服务器,该服务器可以执行任何需要验证的操作数据并坚持它。

    I don't necessarily see it as the most "correct" solution, but would it be possible to keep all the permission stuff on the server side, and just serve the updated UI rather than some kind of JSON permissions system?

    You'd have to make the decision based on how busy and intensive your app expects to be, but definitely a decision worth making either way

    链接地址: http://www.djcxy.com/p/41936.html

    上一篇: 如何为Python代码做Makefile依赖

    下一篇: 将权限传播给Javascript