Imagine you have the following scenario. You are building a mobile or reactive web application. You have a page that any registered user can enter, but only certain users can see some fields or do some actions. Well, what you can do in terms of security are 2 steps.
- Do a client role check to be able to show some information or allow some action.
- Do server role check to be able to allow or not some server-level action.
Client role check
The client role check is used to programmatically show or hide UI elements depending on a given role. Let’s say we have the following roles: Client, Employee, and Manager.
You can use some methods to do client-side role checks. For this, it is necessary to use the checkIfCurrentUserHasRole function. This function checks if the current user has the given role and returns true if he has it and false otherwise. To use it programmatically, if we only want the Manager and Employee to see some UI element we can use the checkIfCurrentUserHasRole function as follows:
$parameters.CanSee = $public.Security.checkIfCurrentUserHasRole($roles.Manager) || $public.Security.checkIfCurrentUserHasRole($roles.Employee);
You can also create a function from a client action to verify the role.
This way, we can use this function directly in any part of the page or logic on the client-side.
Server Role check
But since you should never rely only on client code for security, you must repeat those role checks on the server-side. So, for all server calls that you make, these actions must have server role check actions to see if that user is allowed to execute that action. For that, you should use the built-in function available. This function, which is automatically defined by the platform, is Check<role_name>Role. This is a server-side logic that cannot be used on the client-side.
Using these two validations, you can determine and enforce at the screen/action level who sees a UI element or who performs a specific action. And then ensure that any action that is performed by the user is checked on the server-side. This way, you ensure that you have a more secure and sound application.
Source: OutSystems Security Documentation (and Forum in general) Feature toggle in OutSystems