Results 1 to 2 of 2

Thread: Manage user permission policies

  1. #1
    Sencha User
    Join Date
    Aug 2014

    Default Manage user permission policies

    Hi all!
    This is very general question but anyway... I'm very curious to know what strategy can be used for managing user permission policies to different parts of single-page web application.
    Are there are any best practices, approaches or frameworks for making this things more easy and straightforward?

    Let's take an example:

    There is a single-page web application with 2 tabs: A and B
    Each tab has 3 components (grids, buttons, whatever): A1, A2, A3 and B1, B2, B3
    There are 3 user groups: U1, U2 and U3
    U1 has access to both tabs and all the components
    U2 has access to both tabs but only to components A1 and B1
    U3 has access only to tab A and all the components within this tab
    One solution which lies on the surface is to build a global JS object on page load (or with separate AJAX request) and store the user groups there. And then use conditions in the code to verify the current group and allow or restrict a specific functionality. A simplified example would look something like this:

    PHP Code:
    <script type="text/javascript"
    MyApplication = {
    userGroup 'U3' // can be also U1 or U2 
    And then in code we will have checks like:
    PHP Code:
    if (MyApplication.userGroup == 'U1') {...}
    if (
    MyApplication.userGroup == 'U1' || MyApplication.userGroup == 'U2') {...}
    if (
    MyApplication.userGroup != 'U3') {...} 
    The example can be extended with the scenario of handling events in different ways depending on the user group. Let's say A1 is the button and A1OnClickHandler is its on-click-handler:
    PHP Code:
    var A1OnClickHandler = function() {
        if (
    MyApplication.userGroup == 'U1') {
    console.log('A very private information');
         } else if (
    MyApplication.userGroup == 'U2') {
    console.log('Less private information'); 
        } else if (
    MyApplication.userGroup == 'U3') {
    console.log('Public information');  

    A drawback of the approach I described is the possibility to change value of MyApplication.userGroup by user on the fly after the page is rendered. Just open console and type:
    PHP Code:
    MyApplication.userGroup 'U1'
    Bingo, user of group U3 has now rights of U1 and will be able to see private information on A1 click. Ok, he will still not be able to see those components which have not been rendered on page because of the initial conditions. But he will still be able to access the functionality available after these post-checks conditions.

    To be honest I was a bit surprised by not being able to find any specific information related to this issue in the web. Do I miss anything? It would be interesting if anybody could share own experience of solving this kind of things.

    Here is the link to StackOverflow post ( but since I'm interested in ExtJS implementations I think it will make more sense to post it here as well.

  2. #2
    Sencha Premium User
    Join Date
    Nov 2014


    Here's on possible solution, showing how you can dynamically build the available components depending on what modules and features are enabled for a given user.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts