|Home » Technical Support » Elevate Web Builder Technical Support » Support Forums » Elevate Web Builder General » View Thread|
|Messages 1 to 6 of 6 total|
|Form access control - suggestions|
|Tue, Sep 15 2015 11:16 AM||Permanent Link|
I need to implement some kind of access control to the various forms in my EWb app.
Users have a "Role" (Admin, Editor, Approval, ..) definition that I can use for access testing.
This could obviously be solved by hard coding this kind of test on every form...
I would appreciate any suggestion / best practice / ideas.
|Tue, Sep 15 2015 11:47 AM||Permanent Link|
I do this.
Users are logged in against a server (in my case B4J but could just as easily be PHP/whatever).
The server returns a token, which I store in the EWB app.
Every form gets its data from the server via an ajax call which includes this token.
If the server determines that the action requested is NOT permitted for that token then I return an error code which is parsed by the ServerRequest onComplete callback. In my case I display a modal dialogue box that, when the OK button is clicked, restarts the app forcing them to log in again.
This doesn't necessarily hide the form, but it does stop it showing any inappropriate data.
You could return & store the permissions after logging in and before showing the form call a function that tests for authority. Not very secure as in a client side app those permissions could be tampered with.
Depends how secure you need to be, really.
|Tue, Sep 15 2015 12:10 PM||Permanent Link|
squiffy, how do you determine if the data requested is permitted or not?
|Tue, Sep 15 2015 12:57 PM||Permanent Link|
Ok, so a user logs in with username/pass and I fetch some details about them, including role, that's stored in a db.
I generate a unique token (guid) and store this along with the role info (in memory or in a db).
This token is returned to EWB.
When my next ajax request for data comes in from EWB to the server (which includes the token in the POST data) I look up the data stored against the token and retrieve the role.
My server code then determines if this retrieved role is allowed to fulfil the request, returning either 200 and the data in a json payload or some arbitrary code beginning with 4xx and no data if not.
Are you using a back end like PHP & MySQL?
|Tue, Sep 15 2015 1:43 PM||Permanent Link|
Ok, so you validate the role within the execution of the request on the server side.
What I consider to be an issue is the administration of changes to what the roles can access or not.
IOW, there should be an easy way to change the role / access matrix in an easy way - preferably without recompiling.
Perhaps I simply should set up a table defining this matrix, and do a lookup for validation.
Thanks - this was really good help...
As for backend, I'm using the EWB server with a couple of different modules separated by functionality.
The database is MySQL
|Tue, Sep 15 2015 6:39 PM||Permanent Link|
I've got a load of mySql creates for a role based system here somewhere.
I'll dig them out when I get a moment and post them here; they may be of some help. It's the system I use at the moment and seems to work ok for me.
This web page was last updated on
Monday, May 29, 2023 at 11:23 AM
© 2023 Elevate Software, Inc. All Rights Reserved
Questions or comments ? E-mail us at firstname.lastname@example.org