What are best practices for managing access of different User types?

I’m building a User Account section where Users can edit certain things about their profile. All Users will be associated with a Company, and some of them will be Admin Users that can manage additional things about the company that the regular users cannot.

I’m managing this my hiding certain buttons which show popups or other sections where company info can be edited. Is this enough, or will someone good enough with javascript be able to bypass the buttons and hide/show logic to just show these elements anyway? I imagine they’d be able to do that if the elements are all loaded and simply not shown.

More generally, in this scenario, what is the best way to make sure users don’t try to hack around and get to edit or even see info that’s not meant for them?


Hi there, @johndurso… with regard to users not being able to see info that is not meant for them, it’s all about privacy rules. If you have configured your privacy rules properly (whatever properly means for your app), you have nothing to worry about on this one.

About your other question, let me say I am not an expert in any way, shape, or form when it comes to what is possible for a hacker to do on the front end. That being said, if you put conditions on your edit workflows that only allow them to run when a user has the appropriate access, you will be covered even if a user can somehow access the elements on the front end.

Hope this helps.


This topic was automatically closed after 70 days. New replies are no longer allowed.