'Hi --
I'm changing the way I build my UI from this:
If ( role == 'Admin' ) myComp.visible = false;
...to a totally dynamic UI based on what is returned from the DB. I开发者_StackOverflow'm architecting the best approach to this now.
I've read about role-based access control and understand that it's best that the server generates the UI after a user is authenticated, but apart from re-doing the entire backend to store MXML et al., is there a better approach?
Is it a bad idea to have a Permissions object that has properties like:
showTabOne:Boolean = true; allUserToEditGrids:Boolean = false;
The components visibility and includeInLayout properties will be bound to these values.
The UI will also allow a user to create new roles and set permissions.
The only drawback I see is that every time a new feature is added, the app will have to be recompiled to update the bindings.
Any tips are greatly appreciated.
Thank you!
Permission object is fine, if you have complex enough policy, it is natural to abstract it into its own class. About recompilation - bindings can be set in runtime (BindingUtils), maybe you can use it to avoid it. Not sure what is
re-doing the entire backend to store MXML
Normal way would be MXML controls composed after the authentification, indeed.
Be advised that someone can spoof a feed or flashvar to create a permission object to get themselves the credentials they require in a client app, allowing them to view/edit supposedly restricted content/areas.
A good approach for this would be, upon server authentication of the user and role, return a manifest xml defining what part of the ui is visible to the user and bind to those properties.
You can take security one step further and put restricted areas in flex modules to be loaded at runtime when the user navigates to that section. Before the module request is returned from the server, validate the user's right to load that module and return an error code if they are not logged in or do not have the role required for that module.
Storing mxml serverside for dynamic view generation is not a tenable approach. Yes you can, no you should not. Non-trivial use of the site would bring down the server with a quickness unless you implement a good caching mechanism.
See Web-tier compilation of MXML files for more info though as it's an interesting concept.
Check out the Flex Chimp and this article that describes it.
精彩评论