Monday, September 8th, 2008
Tom Kirkpatrick has written about writing one form, and using access control to map it to various roles using jQuery and Jaxer.
This is a simple pattern. You never want to use client code to manage access, for obvious reasons. The approach is to use the server to spew out HTML that makes sense, and then parse in the input and check access control.
One solution to the roles issue is to manipulate the DOM on the server before it heads to the client. The magic lies in the ‘server-nocache’ directive which tells Jaxer than “the code should only run on the server, and that the code or should not be cached and will therefore not be available during callbacks.”
- <script runat="server-nocache">
- // some kind of authentication to get current users role
- role = getRole()
- // remove private form elements
- $((role == 'employer') ? '.employee.private' : '.employer.private')
- // disable irrelevant form elements
- $((role == 'employer') ? '.employee input' : '.employer input')
- .attr('disabled', 'disabled');
- // no need to inject Jaxer client framework (saves about 20k)
Of course, to be safe, you need to always test access control incoming, and not rely on the HTML that you send down.
Posted by Dion Almaer at 7:42 am