intelis intelis - 2 months ago 8
Python Question

AngularJS and Django permissions

I'm building a webapp with AngularJS and Django. I want to use Django's excellent permission system (mostly

permissions), but I'm not sure how to implement that in pure client-side.

I know I can use Angular's
service, but I don't want to mix template tags from both frameworks, as I understand that is a bad practice.

The way I wanted to implement this, was to return
from server with all appropriate user permissions, something like:

"username": "John",
"can_view_field1": True,
"can_view_field2": True,
"can_view_field3": False

After that I'd simply use Angular's
to destroy or recreate portions of
based on user permission.

My question is how safe is this? Are there any better ways of doing this without the use od Django's templates?

It just seems to me that everything that is client-side should be considered unsafe?


My question is how safe is this?

To make it safe, Django needs to NOT return any data concerning the view until Django does a BACKEND check on the permissions. Because on client side a malicious user can use flip that boolean to True simply using the browser's JS console.

So basically, the client side check should be LIMITED to simply altering the user interfaces (e.g. hide links to resources the user doesn't have permission to access). But when the time comes for the Django server to return data to a user, the Django view needs to do the permissions check on its own.

Are there any better ways of doing this without the use of Django's templates?

Yes, you can make AngularJS fetch the user profile with the permissions from a REST API. It gives you better organization than padding the Django template's HTML with JSON data.

Personally what I do is, once a user is logged in, AngularJS fetched the user profile, e.g. first_name, last_name etc and along with it I attach a field called "permissions" and instead of booleans, I just pass the names of permissions the user has.

profile.permissions = ['view_app1', 'view_app2', 'create_model_1', ...]

Because it's less data sent over HTTP vs sending all permissions with lots of x=False fields in them

Bottom line:

  • Client side checks as just for good user experience and good user interfaces
  • Security checks are done server side before returning any data/page
  • Include only permissions user has, no need to expose them all with lots of permissons = False
  • Avoid padding HTML templates with JSON data, create a minimal Django view to return that JSON data if you have to