Monday, September 8th, 2008

Form access control via jQuery and Jaxer

Category: Aptana

<p>

Tom Kirkpatrick has written about writing one form, and using access control to map it to various roles using jQuery and Jaxer.

This is a simple pattern. You never want to use client code to manage access, for obvious reasons. The approach is to use the server to spew out HTML that makes sense, and then parse in the input and check access control.

Using Jaxer, this is all taken care of in JavaScript, and you can use libraries such as jQuery to do work there.

One solution to the roles issue is to manipulate the DOM on the server before it heads to the client. The magic lies in the ‘server-nocache’ directive which tells Jaxer than “the code should only run on the server, and that the code or should not be cached and will therefore not be available during callbacks.”

  1. <script runat="server-nocache">
  2.  
  3. // some kind of authentication to get current users role
  4. role = getRole()
  5.  
  6. // remove private form elements
  7. $((role == 'employer') ? '.employee.private' : '.employer.private')
  8.   .remove();
  9.  
  10. // disable irrelevant form elements
  11. $((role == 'employer') ? '.employee input' : '.employer input')
  12.   .attr('disabled', 'disabled');
  13.  
  14. // no need to inject Jaxer client framework (saves about 20k)
  15. Jaxer.response.setClientFramework();
  16. </script>

Of course, to be safe, you need to always test access control incoming, and not rely on the HTML that you send down.

Posted by Dion Almaer at 7:42 am
3 Comments

+++--
3.6 rating from 17 votes

3 Comments »

Comments feed TrackBack URI

runat=”server-nocache” … never seen that before.

Comment by Aimos — September 8, 2008

It’s a great example but it doesn’t need the “server-nocache” at all: caching is only for functions, and there aren’t any here, so nothing would get cached, and nothing would be available for callbacks ;-). That was already corrected in his original post.

Comment by Uri — September 8, 2008

Sorry, to be more clear: it needs “server”, and while you could use “server-nocache just as well in this case since they do the same thing in the absence of functions, that would be 8 redundant characters…

Comment by Uri — September 8, 2008

Leave a comment

You must be logged in to post a comment.