1

I have read this below answer for SPA cons. In fact, I have faced some problems outlined.

Single Page Application: advantages and disadvantages

That is why I want to check I still taking the current path.

My question is more related to user authorization to an object.

  1. When the user access the web app who doesn't have authorization to certain objects, do I need to hide them (with JS) in SPA or I need to make all the options available as API.

Ex: if the user is not admin, need to hide admin related navigation links, or do I need to create an API for navigation links and maintain in the server.

  1. User logged into the application and the data table was loaded. But the user doesn't have the delete permission on the data. Do I need to hide the delete option on records? or page can be build based on permission?

So far, for navigation, I keep the entries in the backend and serve as API. To delete permission like things, I hide it.

I am using Angular. Is there any solution I can build SPA on based on user permission or MPA is better for my use case, as it is data sensitive and I don't want users to inspect the elements and figure things what was hidden (authentication is set for API as well. but I feel too much work to be done to maintain simple edit feature and navigation when user permission involves.)

Tlaloc-ES
  • 4,825
  • 7
  • 38
  • 84
Durai
  • 505
  • 4
  • 12
  • 3
    Of course you should hide actions that the user isn't allowed to execute. What would be the point of showing them? That has nothing to do with security though. Just about good user experience. The security (i.e. checking that the user is allowed to delete a row for example) should always be on the backend, because anybody can send a request to your server, whether or not the action is hidden. That's true whether or not you use an SPA. – JB Nizet Oct 24 '19 at 22:12
  • 1
    Looking from a different angle on the problem, every code running in the client (browser) can be manipulated by the user. Therefore authorization can only be consistently enforced on the server. – pintxo Oct 24 '19 at 22:13
  • This might be a better place to start for this kind of question: https://softwareengineering.stackexchange.com Stack Overflow is generally more for very specific issues with code (though with some exceptions to that). – Dortimer Oct 24 '19 at 22:13
  • 1
    Thanks everyone. @Dortimer, I will post in the stackexchange. One of my colleague told me that if we use ngIf condition, dom will not be generated. But minified version of the source code presents without the condition. I will have to experiment on this. here is the link for stackexchange question to discuss. https://softwareengineering.stackexchange.com/questions/400129/how-secure-are-spa-pages – Durai Oct 25 '19 at 07:31

0 Answers0