I would love for the world to wait for a carefully architected VueJS app. But often it doesn’t. I recently had to quickly implement a role-based filter for a data driven application. And, the experience left me somewhat dizzy.
First, the basics -
- Roles had been implemented in the application as custom logic - back-end server framework had roles defined against users
- Permissions were used to check access to specific routes of API. Front-end app just did not show irrelevant links
- We had to implement data-filters - e.g. show only accounts assigned to a sales person, while show all of the company accounts to manager. The rules were defined, but not infinitely scalable like that in a typical CRM app
My first design idea was to find the current user role and apply filter in Vuex.
This was quickly abandoned in favor or tying the functionality to the UI since there could be opportunities for managers to view data “as a” sales rep. The design was changed to use routes and props to individual views. The driving factor was quick implementation and minimal impact to the larger application.
Pass props in router
Change views / create new views
The view is changed to receive
prop. Use a single view to fetch data, and display
- data from server in a list format (in AccountList component)
- display details of selected ‘active account’ in a form (which is part of the TabPanel component)
Change store module
account module in Vuex store will have code to call distinct server APIs based on the filter (initially passed by authMode).
Change server APIs
The server will have
all routes that simply call one service to fetch accounts based on filter.
Ok, what next?
This quick implementation works. The advantages were -
- Ability to secure server APIs based on roles (filter based on API access, no need to check within API services or controllers)
- Secure data access with server-controlled filters
- Reuse single UI for all roles (minimal changes)
But I am not happy with -
- code repetition in client - can do better
- lack of role-based security for front-end URLs
- potentially confusing functionality & spaghetti code if we need to secure updates to specific fields or allow actions based on roles
This may need a larger refactoring using a standard ACL function in the back-end and something similar on the front-end. That is probably for some other day.