I am developing a CRUD based database which needs to have some ACL (Access Control Lists) based on users. We want to make it so that there's an Admin access panel as well so we can quickly delete content if needed or otherwise moderate it. I am trying to keep it flexible so that it could be a separate interface for convenience but also not diverge from the general user interface because otherwise it will be harder to maintain.
What would be a good way to handle creating a user interface in the front end, assuming the backend will deal with the ACLs? Is it necessary to create a separate BB.js interface to serve or is it fine to pass a bit of extra code to all users that will be ignored?
Recommendations or warnings would be appreciated too!
I interpreted your question as you want to serve up different interfaces for different access levels of users. Therefore I would:
Put a check for the users access before they hit each route to make sure they aren't accessing a page they shouldn't see
They can still try to circumvent this (since they can change their user model), your backend would still catch any unauthorized requests.
You can also conditionally show and hide page elements based on user access levels.
Heres an example code for my ACL.coffee
acl = {}
acl['admin'] = [
'page1',
'page2',
'page3',
'page4',
'page5'
]
acl['user'] = [
'page1',
'page2',
'page3'
]
hasAccess = (route) ->
# Get User Model
user = window.App.user
# Get Associated ACL
permissions = acl[user.get('role')]
# Check each URL for Access Privileges
# Returns false if route not in array
permissions.some (r) -> ~route.indexOf r
{hasAccess}