Browser support? - Githubissues

goodmodule / rbac

Hierarchical Role Based Access Control for NodeJS

MIT License

987 stars 102 forks source link

Browser support? #55

Open probil opened 5 years ago

probil commented 5 years ago

This library is for node but we used it in browser as well.

The only issue we have is that currently library supposed to work on node@6+ and up and as result some of the code throws errors in older browsers (IE, etc) since it contains new ES6 syntax.

I think it can be configured to support browsers by few lines of code in .babelrc. I can create PR for that

alejosv commented 4 years ago

RBAC on the client side? For a security issue I don't think it's a good idea.

probil commented 4 years ago

@alejosv Why do you think so? We have proper data protection on the server. It's not about security but more about code reuse. We use rbac on client side in production for at least a year to guard some routes in SPA and hide/display some blocks based on user permissions.

For example, if you can't create a post you won't see a button Create a post. But even with that button in place server would response with an error (no permission) - so no security issue here

alejosv commented 4 years ago

RBAC is not a UI/UX pattern, good practice or design, but rather, it is part of the INCITS 359-2012 standard. In a simple way, the RBAC must define which role has permission to which accesses. Because the management of users, roles and permissions are on the server side, the management must be in the same way.

The response sent by the server should not hide/show elements of the DOM, since it can be manipulated by anyone. Items must be created or not created based on their role. Angular and Vuejs have directives for these cases and common layout patterns like MVC allow in the view to create or not elements in the DOM, this avoids exposing elements that give access to non-granted resources or unwanted shares.

This way a client-side RBAC is not necessary and can be a major security breach.

seeden commented 4 years ago

@alejosv you are right, but you can use it also just for simple cases like "can I show this button/navigation"? The backend can return "You are not allowed" when the client try to read something without rights. I am not using it in this way because I am returning directly what the user is able to do or see from the backend. But for somebody, it can be interesting