on 02-20-2018 9:35 AM
Hi Friends,
I want to hide a button on my view based on some back-end condition or role, currently I can hide the button by binding a model property and setting the respective value. But user can able to revert the visibility property by using the F12(Developer mode) in chrome. So what is the best way to handle this kind of issues.
Thanks
Suman Kumar
What does this button do? Why you want to keep it hidden from the user?
These might seem silly questions, but in fact are important ones. If you have an action (lets say a DELETE action on the model) that this button triggers, then hiding it will not save the problem AT ALL. If someone is smart enough to go through F12 and make this button appears, they might as well simply execute the DELETE HTTP method via Postman or even by Google Dev Tools console.
Hiding a button in a web application is like having a hidden button that opens the save without the key: its just Security through obscurity, which by itself is an antipattern.
You should implement the security check back in your model, not in your view.
Bruno
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Yes, you got it!
Hi Suman, like everything in web you have two different side:
and I think that for safety you should always double check them (even if you think it's redundant).
So my suggestion is:
Ema.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
78 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.