With every single server api call, I include the same library action to get the user’s company ID, role & permissions. So when a page loads all server api’s, it does that same include for every single call.
It all works very fast, but I was wondering if this is fine for the long run? Is there a better way to handle it? I assume that storing the permissions in a session storage is not a good idea for security
Checking permissions each time, in my opinion, is the way to go. Storing session values can lead to permissions mismatches especially in the period just after a change has been made.
I would say, though, that there is a specific element in the Server Actions called Security Restrict that allows you to set up a set of permissions (set it up in Gloabls > Security Providers > Users & Permissions)
Then you just need to add the Security Restrict step to each server action to protect it.
I doubt it will make any difference in terms of performance - maybe @patrick could add confirmation - but it should make creating the Server Actions a bit easier:
If you use it as server-side data on a page
If unauthorised (not logged in) it will redirect the user to the login page. For forbidden (not permitted) it can redirect to another page, maybe a landing page or dashboard.
Also worth considering is the Globals server actions - which run at the start of EVERY Server Action (be careful, putting too much in one of these leads to HUGE duplication of effort)
You could add a condition that if the identity is present, run a query to get the company id etc.
This would replace the library action requirement and be available in the picker for every Server Action file.
Unfortunately I can’t use the security restrict and security identity as I’m using a 3rd party authentication, and my users can create flexible roles and permissions which I store in the database so I can’t use default roles etc
Even tough I don’t have any performance issues right now, it just seemed a “waste” to do the same exact query for all SC api’s at the same time. I wish that the same includes in all api’s that are requested could magically be combined in one request
I thought about combining SC api’s in the same page in one SC api, but it’s counter productive as in that case I’ll have to re-run everything when I only need to reload one database query.
So I guess I’ll continue with what I have now…
Thanks for the tip of the global server action! I didn’t realize that I could do that