I am curious as to how an experienced javascript programmer would go about enabling and disabling features of a javascript program based upon the user’s permissions.
I currently do this with an ACL in my PHP application. But, as I am starting to write a lot more javascript, I am wondering how to do the same thing in javascript.
If you’re passing in some authentication information from PHP in to the page (e.g. set a JS var for “isAuthenticated” and “userLevel” or something like that) you could use that to load in a JS based on “who” the user is.
e.g. using “YepNope JS”
yepnope({
test: isAuthenticated,
yep : yepnope({
test: userLevel == config.userLevels.admin,
yep : 'scripts-auth-admin.js',
nope: 'scripts-auth-user.js'
}),
nope : 'scripts-noauth.js'
});
One very important thing to remember is that because JS runs on the client-side, it is possible that the user tampers with the script and sets themselves as a logged in admin. So it would be super important that you sense check everything that submitted to you on the server side by said JavaScript
Using something like a nonce and a permission test on AJAX requests you should be able to keep the app secure as well 