I know there are a lot of posts floating around about how to handle user roles and permissions across apps and I’ve read those, but I just wanted some validation to make sure I’ve understood best practices correctly:
Do base-level Data Type lock-down using privacy rules.
We have Data Types for Roles / Security / Pages, so we use these to build conditionals that validate whether a user has access to a page or not on page load and then redirect them away if they don’t.
Because this check/redirect doesn’t happen server side, there is a brief flash where a page may be displayed that shouldn’t be. When Data Types are locked down properly, this will probably not expose any sensitive information but is still not a nice User Experience, so:
We are meant to hide the page contents until the page is loaded and display a loader until it does to cover this non-instant, browser-side redirect.
Does the above sound about right?
We have a multi-page app, which means there are a lot of pages to hide content on based on conditionals and a lot of pages to put a loader on. Is there some more efficient way of doing this using repeating elements, or something else I’m unaware of?
I don’t like doing this, for the main reasons you mention. Plus it is annoying to test and get redirected because you forgot to log into an account with the permission to test.
One thing that I like to do is to have a conditional on the navigation actions. So, if there is a page a user will get navigated to, and that page is to be protected via permissions, I might have the redirect on page load as an ‘extra measure’, but I would first put conditionals on navigation actions to navigate a user without permission to some other page, or on the page they are on show a popup indicating they do not have permission.
You can make a loader as a reusable element and put it onto the pages, or into another reusable element such as header or footer.
Thank you! Some good thoughts here. We are also not-displaying elements that lead to places users don’t have permission to but have the conditionals on page-load to prevent direct access via entering a URL.