2

The actual questions

  1. How to "map" access restrictions so it can be used from php and javasript?
  2. What kind of method should I use to share access restrictions / rules between php and javascript?

Explanation

I have created a RESTful backend using php which will use context-aware access control to limit data access and modification. For example, person can modify address information that belongs to him and can view (but not modify) address information of all other persons who are in the same groups. And of course, group admin can modify address details of all the persons in that group.

Now, php side is quite "simple" as that is all just a bunch of checks. Javascript side is also quite "simple" as that as well is just a bunch of checks. The real issue here is how to make those checks come from the same place?

Javascript uses checks to show/hide edit/save buttons. PHP uses checks to make the actual changes.

and yes, I know this would be much more simpler situation if I ran javascript (NodeJS or the like) on server, but the backend has already been made and changing ways at this point would cause major setbacks.

Maybe someone has already deviced a method to model access checks in "passive" way, then just use some sort of "compiler" to run the actual checks?

Edit:

Im case it helps to mention, the front-end (js) part is built with AngularJS...

Edit2

This is some pseudo-code to clarify what I think I am searching for, but am not at all certain that this is possible in large scale. On the plus side, all access restrictions would be in single place and easy to amend if needed. On the darkside, I would have to write AccessCheck and canAct functions in both languages, or come up with a way to JIT compile some pseudo code to javascript and php :)

AccessRestrictions = {
    Address: {
        View: [
            OWNER, MEMBER_OF_OWNER_PRIMARY_GROUP
        ],
        Edit: [
            OWNER, ADMIN_OF_OWNER_PRIMARY_GROUP
        ]
    }
}

AccessCheck = {
    OWNER: function(Owner) {
        return Session.Person.Id == Owner.Id;
    },
    MEMBER_OF_OWNER_PRIMARY_GROUP: function(Owner) {
        return Session.Person.inGroup(Owner.PrimaryGroup)
    }
}

canAct('Owner', 'Address', 'View') {
    var result;
    AccessRestrictions.Address.View.map(function(role) {
        return AccessCheck[role](Owner);
    });
}
Improve this question

2 Answers 2

Reset to default
2

First things first.

You can't "run JavaScript on the server" because Javascript is always run on the client, at the same way PHP is always run on the server and never on the client.

Next, here's my idea.

  1. Define a small library of functions you need to perform the checks. This can be as simple as a single function that returns a boolean or whatever format for your permissions. Make sure that the returned value is meaningful for both PHP and Javascript (this means, return JSON strings more often than not)

  2. In your main PHP scripts, include the library when you need to check permissions and use the function(s) you defined to determine if the user is allowed.

  3. Your front-end is the one that requires the most updates: when you need to determine user's permission, fire an AJAX request to your server (you may need to write a new script similar to #2 to handle AJAX requests if your current script isn't flexible enough) which will simply reuse your permissions library. Since the return values are in a format that's easily readable to JavaScript, when you get the response you'll be able to check what to show to the user

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your answer.For your point #3, if I understood this correctly, it means that for every permission check there would be one ajax request which is not feasible in some situations. Or, the permissions backend could handle checking of multiple values for single action at once. But what if there are several actions per single person and tens of persons? (eg. table containing hundred perons which you can multi-select and perform a task with. Javascript access check would control disabled status of that checkbox.)
Design library functions that for a given input have the desired output, I don't know your software and it's hard to be more specific than giving general guidelines. Maybe if the check is too hard your software is badly designed, or Javascript is not the way to go altogether.
0

There are some solutions to this problem. I assume you store session variables, like the name of the authorized user in the PHP's session. Let's assume all you need to share is the $authenticated_user variable. I assume i'ts just a string, but it can also be an array with permissions etc.

If the $authenticated_user is known before loading the AngularJS app you may prepare a small PHP file whish mimics a JS file like this:

config.js.php:

<?php
session_start();
$authenticated_user = $_SESSION['authenticated_user'];
echo "var authenticated_user = '$authenticated_user';";
?>

If you include it in the header of your application it will tell you who is logged in on the server side. The client side will just see this JS code:

var authenticated_user = 'johndoe';

You may also load this file with ajax, or even better JSONP if you wrap it in a function:

<?php
session_start();
$authenticated_user = $_SESSION['authenticated_user'];
echo <<<EOD;
function set_authenticated_user() {
    window.authenticated_user = '$authenticated_user';
}
EOD;
?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.