authentication - setting permissions on redux actions -


i creating web redux-react app have number of different permission levels. many users may interacting 1 one piece of data may have limitations on can do.

to me, obvious way set permissions on interactions on data (held behind app server) associate permissions different redux actions. then, when user saves state client side app bundle users action history , send server. these actions applied data in server , permissions checked, action action, against user jwt.

this mean lots our reducer code used isomorphically on server.

i cannot find resources/disscussions on this. normal way of handling complex permissions in redux app? having auth purely @ endpoint seems cumbersome , require rewriting ton of new code written in client side reducers. reason not go ahead , create reducer checks auth on each action?

points:

  • must assume actions sent server authenticated, sent users not have permission dispatch these actions
  • if permissions have been checked , inside actions reducer can check permissions , pure

i think it's not responsibility of action creators check permissions using reducer , selector definitively way go. here 1 possible implementation.

the following component requires acl checks:

/**  * display user record.  *   * deletion link added if logged user has sufficient permissions  * delete record.  */ function userrecord({ username, email, avatar, isgranted, deleteuser }) {   return (     <div>       <img src={avatar} />       <b>{username}</b>       {isgranted("delete_user")         ? <button onclick={deleteuser}>{"delete"}</button>         : null       }     </div>   ) }

we need connect our store hydrate props:

export default connect(   (state) => ({     isgranted: (perm) => state.loggeduser.permissions.has(perm),   }),   {deleteuser},   (stateprops, dispatchprops, ownprops) => ({     ...stateprops,     ...ownprops,     deleteuser: () => dispatchprops.deleteuser(ownprops.user)   }) )(userrecord)

  • the first argument of connect create isgranted logged user. part done using reselect improve performance.

  • the second argument bind actions. nothing fancy here.

  • the third argument merge props , pass them wrapped component. deleteuser bound current record.

you can use userrecord without dealing acl checks since auto-update depending on stored in loggeduser.

<userrecord user={someuser} />

in order above example work need store logged user in redux's store loggeduser. don't need check acl on actions since ui won't trigger them if current user lacks of permissions. moreover, acl have checked server-side.


Comments

Post a Comment

Popular posts from this blog

javascript - jQuery: Add class depending on URL in the best way -

i have html progress meter: <div class="col-md-3" style="margin-left: -20px;"> <div class="progress-pos active" id="progess-1"> <div class="progress-pos-inner"> login </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-2"> <div class="progress-pos-inner"> scan items </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-3"> <div class="progress-pos-inner"> confirm address </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-4"> <div class="progress-pos-in
Read more

caching - How to check if a url path exists in the service worker cache -

i need check if particular url path exists in service worker cache. example, suppose url is: /myserviceworker/service?a=110&b=70 this url exists in cache, there many of them different values of , b. now, suppose want refresh of these urls, how can that? i want know how access key values service worker cache. if know key, plan follows: var url = new url(key); if(url.pathname === "\/myserviceworker/service") refetch key but not sure how cache key , in format is. mean, string or url? cache api has match() method returns promise resolving in response object if match or undefined if no match exists. second parameter object can specify ignoresearch not take account url parameters. the ignoresearch option supported firefox ( chrome status here ). in other hand, retrieve cache entries, can use keys() method.
Read more

Redirect to a HTTPS version using .htaccess -

i need modify .htaccess file redirect urls https version without "www". http://example.com --> https://example.com http://www.example.com --> https://example.com https://www.example.com --> https://example.com this how .htaccess file looks like: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^(.*)$ redirect.php?id=$1&page=$2 [qsa,l] what modifications need make .htaccess in order forward https without "www"? it depends on doing current code. looks file called redirect trying display php page seo friendly url. think might confusing people. anyway, need , force https without www, need 1 more rule above. also second rule needs two capture groups in rewriterule test string because wanting 2 different values using $1 , $2 references. rewriteengine on #rediect www non www and/or http https --- combinations. rewritecond %{http_host} !^example\.com [nc,or] rewritecond %{https} !^
Read more