0
 Followers
3
 Likes

Client side action for checking roles

Frontend
On our radar

Hello Team, 


It would really help if the checkIfCurrentUserHasRole() Javascript method be available as a client side action. Also currently there is no way to get a roleName in a client action. 

CheckRole client action  providing the role checking functionality is needed.

Created on 13 Jan (12 days ago)
Comments (6)

Hi Amal,

This functionality is available client side,  in the havascript API security object, see:

https://success.outsystems.com/Documentation/11/Reference/OutSystems_APIs/JavaScript_API/Security#checkifcurrentuserhasrole

Regards,

Daniel

Changed the category to Frontend


Changed the status to
On our radar


Hi Amal,

That is a good idea. As Daniel has said we have never a JS API for that. 

We decided not to expose that as client actions because they could give a false sense of security, as these are all easily tampered. If, for instance, you protect a menu entry or a button to be shown in the UI only for certain users, you really should also protect the server code, either by using the screen roles and by checking the roles on the server actions. Otherwise this could be easily tricked with some javascript.

In any case we'll put this on our radar, to monitor the evolution of this idea and eventually do something about it (e.g. making it available in the client side, but being explicit that further must be done in some way). Ideas are welcomed.

Cheers,
Tiago Simões

Hi Tiago,

I am confused by your response. The Javascript API is available for mobile. I assumed it would also be available in Reactive web being it based on the concepts layed out by Mobile app.

I just did a test and for the checkIfCurrentUserHasRole() does also work in Reactive Web.

Regards,

Daniel

Hi Daniel,

Sorry. Yes, the API is available both in mobile and reactive.

What I meant is that we only have a JS API available and no Client Actions (which would be more low-codish) because we want users to better understand that they should not rely only on these for authorization,  they should always also protect the server side.

Cheers,
Tiago Simões

Hi Tiago,

Ok now I understand, and yes I fully agree that everything should be protected server side.

Regards,

Daniel

views
47
Followers
0