Dynamic serialization of attributes by access rights (ACL)?

B

BonBon Slick2021-03-28 00:19:01

Access rights

BonBon Slick, 2021-03-28 00:19:01

When does THIS apply?

Sometimes, you will find the need to apply an ACE only to a specific field of the object. Suppose you want the ID only to be viewable by an administrator, but not by your customer service. To solve this common problem, two more sub-scopes have been added:

Class-Field-Scope: These entries apply to all objects with the same class, but only to a specific field of the objects.
Object-Field-Scope: These entries apply to a specific object, and only to a specific field of that object.

namely

specific object, and only to a specific field of that object

What follows is that - usually the serializer is enough for most cases.

Grbuo speaking, why use an ACL to check whether it is allowed to issue any data on the UI. I can imagine that there is a listener that checks each server response, checks whether the user has access to the fields and formats it as it should. But why and why so?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexander, 2021-03-28
@NeiroNx

It is usually very expensive to store ACLs in a cache on the server, it can be stored in an encrypted session on the client side, but this inflates traffic. It is better to query the databases for each server data request - always up-to-date ACL and instant application of rights. If you design the database in a certain way, then it will not be resource-intensive for the server at all.
This is usually necessary for the fact that there is different data and some data should be shown only to certain roles and others should not have access to them.
For example, "wholesale price" is significantly different from "retail", and "purchase" is even lower than wholesale.
So users of the lower link - from stores - should not find out the purchase and wholesale prices.