Looking for some guidance for best practices regarding checking access for server actions in Reactive Web based on roles.
For example, consider the following pattern for a server CRUD action:
What is the best way to check if a user has the roles required to perform this CRUD action?
I've worked in apps that are checking the specific role as part of the condition itself, i.e., inside of "Access Check" CheckUserRole(GetUserId()), but I feel like this could be more dynamic by passing in an input parameter (something like "hasAccess") and when the server action is called from the client, pass in the roles. The security implications of the latter concern me, as well as a scenario where a CRUD action on a table could be used across multiple applications, each with their own roles.
Some advice from a best practice standpoint is appreciated. Thank you.
Hi Cory,
Relying on the client-side parameters for anything related to security is a vulnerability.
Secured access to the code requiring any authorizations inside it must be checked from server action itself. Client side parameters / actions can be easily modified with various javascript techniques.
In your case where you want to generalize the access allowed or not, you can use the HasAccess parameter as desired, but then wrap it with different server actions in your different applications to call it. Those wrapper server actions may contain code to actually check the required role / authorization.
Ravi,
Thank you very much for the answer. I hadn't thought of using another wrapper action. I think this is an approach I'll adopt.
Gonna leave this open for other perspectives, too.