How to implement role based permissions on web app?

Tim_Seyfarth · December 20, 2023, 12:20am

Hello all,

Can anyone suggest or provide some sample code to implement role based permissions on a web app’s pages? Or if not role based any sample code, thoughts etc??

Thanks,
Tim

Maximilian_Tyrtania1 · December 20, 2023, 11:00am

This question is a bit broad, but if you happen to use Postgres (which I think you do, right?) I’d recommend using its role system.

Tim_Seyfarth · December 20, 2023, 8:42pm

Thanks for your reply Mximilian.

We do use Postgres, and you bring an interesting point. However, what we want to do is to keep certain pages secure - for many reasons not the least of which is to limit customer availability of certain pages so they don’t change something then things become broken.

Tim

Greg_O · December 20, 2023, 9:06pm

Tim,

You can still use Postgres, but mainly as a storage mechanism.

You’ll need a table for permissions, by name. A table for groups, which have one to many relationship with the permissions table and then each user belongs to a group.

In your app, you have a class which, given a user, will load their group and the permissions assigned to it. The class should have a set of read only computed properties for each named permission.

When the user logs in, load the user’s permissions and apply it to a property on the session. Let’s say it’s called Permissions.

When you need to know, you then can just ask:

If Session.Permissions.CanCreateUsers Then...

The nice part is that to add new permissions, you just need to add the new permission and add it to the groups that should have it. The next time they log in, poof, they’ve got access.

Tim_Seyfarth · December 20, 2023, 9:12pm

Hi Greg,

I have tables set up in PostrgreSQL already. The other functionality is where my issue comes in.
It seems you are suggesting to check the Session.permissions each time a user selects a menu item to load a different page?

Tim

Greg_O · December 21, 2023, 11:27am

You would have to. I’m not suggesting that you query the database every time, but yes, you would need to add logic that checked if a user was allowed to do each and very function that you wanted to control.

Now, you could handle some of this with exceptions after the action was attempted… for instance, if a user tried to create a record and wasn’t allowed to, but I find that user experience to be less than optimal. I’d rather the app just prevent users from doing or even seeing the things they are not allowed to do. But yes, that means that every control that should only be accessed by an administrator would need to be somehow flagged.

If you don’t mind tighter coupling, I suppose you could subclass all of the controls and add a visual property which let you set what permission was needed and then in the opening event, set it’s enabled or visible property appropriately.

Jean-Yves_Pochez · December 21, 2023, 12:01pm

Dean_Davidge · December 21, 2023, 5:44pm

In my apps, I set an an authorization level property in the session when the user logs in. Then every time a new page is loaded, I check session.AuthLevel and either disable or make invisible any controls that user should not be able to use.