Hi,
In my app, I want to assign users roles, which give certain permissions. I have now this in place:
There are roles in the DB:
These are assigned to a user:
To check if a user has a certain role, and so for example an edit button or certain info is shown, I user this method:
In the app state references are made to the role documents (for easier handling):
I decide if a widget should be shown or not via conditional view:
I check if the authenticated user his roles contains the item which is referenced via the appstate:
It’s also possible to check for multiple roles using conditions:
It works, but this feels like a dirty workaround because;
There is security on the graphical item, but not on the data itself. The widget menu item is hidden, but if you know the actual page, you can still access it (but maybe by adding a condition the page container, I can build in extra security)
It's very cumbersome to add the permissioncheck to each widget
It's hard to see which permissions are applied everywhere.
I'm feeling that I'm creating a really inefficient and insecure method here.
Any suggestions to do it better?
Thanks!