Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 6 of 6 total
Thread Form access control - suggestions
Tue, Sep 15 2015 11:16 AMPermanent Link

Petter Topp

Hi All.

I need to implement some kind of access control to the various forms in my EWb app.
Users have a "Role" (Admin, Editor, Approval, ..) definition that I can use for access testing.

This could obviously be solved by hard coding this kind of test on every form...

I would appreciate any suggestion / best practice / ideas.

Best regards
Petter
Tue, Sep 15 2015 11:47 AMPermanent Link

squiffy

Telemix Ltd.

Avatar

I do this.
Users are logged in against a server (in my case B4J but could just as easily be PHP/whatever).
The server returns a token, which I store in the EWB app.
Every form gets its data from the server via an ajax call which includes this token.
If the server determines that the action requested is NOT permitted for that token then I return an error code which is parsed by the ServerRequest onComplete callback. In my case I display a modal dialogue box that, when the OK button is clicked, restarts the app forcing them to log in again.

This doesn't necessarily hide the form, but it does stop it showing any inappropriate data.

You could return & store the permissions after logging in and before showing the form call a function that tests for authority. Not very secure as in a client side app those permissions could be tampered with.

Depends how secure you need to be, really.
Tue, Sep 15 2015 12:10 PMPermanent Link

Petter Topp

squiffy, how do you determine if the data requested is permitted or not?

Petter
Tue, Sep 15 2015 12:57 PMPermanent Link

squiffy

Telemix Ltd.

Avatar

Ok, so a user logs in with username/pass and I fetch some details about them, including role, that's stored in a db.
I generate a unique token (guid) and store this along with the role info (in memory or in a db).
This token is returned to EWB.
When my next ajax request for data comes in from EWB to the server (which includes the token in the POST data) I look up the data stored against the token and retrieve the role.
My server code then determines if this retrieved role is allowed to fulfil the request, returning either 200 and the data in a json payload or some arbitrary code beginning with 4xx and no data if not.

Are you using a back end like PHP & MySQL?
Tue, Sep 15 2015 1:43 PMPermanent Link

Petter Topp

Ok, so you validate the role within the execution of the request on the server side.

What I consider to be an issue is the administration of changes to what the roles can access or not.
IOW, there should be an easy way to change the role / access matrix in an easy way - preferably without recompiling.
Perhaps I simply should set up a table defining this matrix, and do a lookup for validation.

Thanks - this was really good help...

As for backend, I'm using the EWB server with a couple of different modules separated by functionality.
The database is MySQL

Br
Petter
Tue, Sep 15 2015 6:39 PMPermanent Link

squiffy

Telemix Ltd.

Avatar

I've got a load of mySql creates for a role based system here somewhere.

I'll dig them out when I get a moment and post them here; they may be of some help. It's the system I use at the moment and seems to work ok for me.
Image