Login/Register
Client Side Template with view per role
Asked Answered
Solved javascriptangularjstemplate-enginesecurity-roles
A

2

5

I've been reading about AngularJS and it seems very promising, the only thing I'm trying to figure out, not specific for framework, but it's general for client-side template.

Let's say you have a web application with multiple roles, each role may contain addition feature,,, so you cannot have different template for each role, that would be considered bad practice, so my question is what's the best approach to use client-side template in the mean time, not exposing your template to client, so for example, in AngularJS I don't have to use ng-show? What best tool to generate template at server side?

Abney answered 21/10, 2012 at 7:59 Comment(3)
Why can't you have a different template for each role?Glass
@dbaseman, for example, I'm working for EHR (Electronic Health Record) product, physician can view all patient info starting from detailed personal info to allergies, meds,,, etc,,, where nurse maybe should have limited to view basic info and allergies for example, but as you see both have both in common,,, if you changed something in allergies, you have to go for each view and update it, that would be considered bad practice and time waste,,,Abney
Just wondering ... maybe you could ng-repeat a set of available items in the scope that have been determined on the server side dependant on roleAchlamydeous
D
3

Blesh is correct about only providing data to users with the appropriate role on the server side, but it sounds like you want to re-use pieces of your client UI.

In AngularJS, you could use ng-include and build up different partials for different pieces of data. So you could write something like this in both your "doctor" and "nurse" views:

<div ng-include="'allergies.html'"></div>

And then have a separate HTML file called allergies.html:

<p>Allergy info: {{someData}}</p>

Another option would be to use directives.

Disrupt answered 22/10, 2012 at 5:54 Comment(0)
N
6

You're going to want to filter that medical data server-side, then display accordingly in Angular. ng-show and ng-hide simply toggle the display of elements that still exist in the DOM. In other words, that (I'm assuming) HIPAA-protected data is just sitting there where anyone could "view source" it.

Even if you did come up with a way to outright remove those DOM elements you didn't want to display based on roles, it doesn't matter, because you've still technically transferred that data to the client, and a savvy wrong-doer will simply sniff packets and get the protected data.

In fact, ALL of your security and role-checking should be done on the server. You can't trust a JavaScript app to do that on the client at all, in any JS framework, Angular or not.

As for hiding fields based on a role, (presumably because you've got no data to display in those fields), ng-show or ng-hide will be your friends. Occasionally ng-switch will do. If you have a situation where you need a completely different template for some reason, then I'd go with an ng-switch with custom directives in each case, which would allow you to template out what was underneath each role.

I hope that helps.

Nonprofessional answered 21/10, 2012 at 23:24 Comment(2)
thanks @blesh, but keep in mind, I never said I'll transfer data to client side, I'm even trying to show templates for client that he's permitted to see nothing else,,,Abney
I didn't want to make any assumptions. I just wanted to make sure the important bases were covered. ;)Nonprofessional
D
3

Blesh is correct about only providing data to users with the appropriate role on the server side, but it sounds like you want to re-use pieces of your client UI.

In AngularJS, you could use ng-include and build up different partials for different pieces of data. So you could write something like this in both your "doctor" and "nurse" views:

<div ng-include="'allergies.html'"></div>

And then have a separate HTML file called allergies.html:

<p>Allergy info: {{someData}}</p>

Another option would be to use directives.

Disrupt answered 22/10, 2012 at 5:54 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.