Security and User Permissions

Best tutorial for learning how Wappler handles v4. User Permissions and Security?

I’d like to know a lot about it:

  • How to handle it both server side and client side (PHP).
  • How to use multi-table user permissions & conditions.

etc.

Thanks!
Jeff

Although this does not specifically answer your question, this video will show the different uses of Security Identity.

I did watch that, previously, Ben.
Thanks for that video - it was very helpful as are all your videos.
I hope others take notice of it.

Now, I’m looking to go deeper on those user permissions.

Disclaimer: I’m not experienced with permissions on Wappler, so apologies in advance if I say something wrong

Honestly, I don’t think Wappler’s permission system is “enterprise-ready” yet

The permission system is based on roles, it doesn’t check things like “user can only edit its own blog post”, rather “user can edit blog posts” (as far as my limited experience goes; and even if does that, things get complicated when you don’t want to check permission per-user, but rather per-team… or something like that)

I’m looking forward cooking my own logic for permissions, and just use Wappler’s identity stuff for login/register

if blog_post.author_id == session.id // if blog post belongs to user, can edit

Still have to think exactly how to introduce such logic in Wappler, without complicating too much. Some Wapplers from The Netherlands have somehow made their way around this idea, although I’m trying to avoid looking at them :slight_smile:

We have applications running with tens of thousands of users (not quite enterprise level but still a lot of role based activity going on), in multiple groups, with multiple permission sets. I think due to there being in-numerous ways of implementing role based permissions its a good compromise as it stands, and works really well, for us and our purposes (hasn't let us down yet)... Can always use the user identity to check against things such as the 'author' of a post matches the identity (example) allow edit, also ternary operators are great for this purpose too. With roles combined it all operates very smoothly. Allows for a lot of flexibility. Security Restrict can not be underrated, can achieve some really quite complex checks against permissions. Combine with Conditional Regions too. The flexibility for the 'Developer' is quite extensive in this regard.

2 Likes

I wouldn't mind seeing implemented something like casbin

An authorization library that supports access control models like ACL, RBAC, ABAC for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir

So, is there not really a tutorial/explanation of how Wappler Security and User Permissions works?

(ps, I enjoyed the above discussion)

Thanks @Teodor!
I should’ve specified that I have seen those good instructions.
I’m looking for anything that goes beyond that one into more examples and details on implementing it :slight_smile: Thanks!

Implementing what exactly? Once you define your roles, you can restrict pages and actions based on specific role.

I’m successfully using it. I mainly want to learn more.

Something I haven’t been able to do yet: user permissions for displaying particular page elements.

For instance, I have a homepage on my site for all users.
I want to show different elements on the page based on the user permissions. Right now, I can security restrict their server access, so they can’t do anything, but they still see the things they don’t have access to.

I could do a dynamic attribute of “show” connected to a Server Connect with their access… that just effectively “hides” it, but the data is passed, right? So, a nefarious user could see the information.

So, I don’t know how to only deliver the content unless they have permission when comes to page elements and not just pages.

You can query the user details and output the user role on your pages.
There you can use conditional regions to show and hide data based on the role.

Here It’s explained about the different show and hide methods available:

2 Likes

Cool - I didn’t realize that Conditional Regions prevented data from being loaded in the DOM!
Good to know it’s actually secure.
Thanks!

I think I know what you are looking for, and you’ll have to build your own…at least, that’s what I’ve found.

For row specific permissions, I create a server library that performs the check—usually something like does current user id match creator Id of some record. Or do they belong to some group. Then call this library on server actions needing protection.

3 Likes

Well, there are levels to security :grinning:. As I’m sure Teodor would point out, The only way to maintain complete security is to prevent the data from being sent by the server.

2 Likes

Oh - so Conditional Regions ARE still sent by the server?

On this page, https://docs.wappler.io/t/show-or-hide-elements-conditionally/36361 - it says “As our condition is not met, the contents of the conditional region will not be rendered in the browser. You can inspect the page using the browser dev tools and see that the contents are not being added to the DOM at all”

I guess I took that to mean the server doesn’t even send the info?

That’s why you want to restrict server actions as well based on the user role/id.

1 Like

Maybe this reply some time ago from Patrick will help explain…

2 Likes

Yeah, that makes sense. It’s 100% true.

It’s not insecure to display a “finance record table” if there’s no data in the table.

But, I guess there’s just some programming itch inside me that I can’t scratch if I’m delivering a hidden table that’s supposed to be secure, even if it’s void of data. :rofl: :joy:

2 Likes

Since I’m not a security expert, I try to take a simple view of this…

Security is done at the server…full stop, no exceptions. In this regard, I include validation.

Improved UX is done at the client.

So yes, I do client side validation but not to secure things…it is to make the experience better for the user. So I also perform that validation on the server to maintain integrity of data, etc.

And yes, I use conditional regions to hide/show elements based on role/permission, but that is to improve the UX, not to maintain a secure app.

3 Likes