3

On my Single Page App I am using MSAL.js to authenticate users and to also extract the groups they belong to by using Microsoft Graph endpoints. I save to a variable the Specific groups the user belongs to. According to the content of that variable, a different Home Page will be rendered. The code looks like this:

if (user.group == 'AppAdmin') {
    return (
        <div className='h1'> Admin Dashboard</div>
    );
} else if (user.group == 'AppManager') {
    return (
        <div className='h1'> App Manager Dashboard</div>
    );
} else {
    return (
        <div className='h1'> User Dashboard</div>
    );
}

user.group contains the group the user belongs to in Active Directory.

Will an end user not belonging to the AppAdmin or AppManager groups be able to modify in their web browser the variable user.group value to fool the browser into rendering admin or manager content?

Improve this question

1 Answer 1

Reset to default
12

It's not just that they can modify the variable to show whatever dashboard they want - the fact is that they have full control over the app, can view all code, can view all data in the app, etc... The client has full control over the app, so if you have any data, logic, or code that you don't want users to see, your only option is to never send it down.

Client side checks have only one purpose: to provide a nice user interface for users. They have no security value whatsoever.

Improve this answer
2
  • The aspect of the client side providing no security is only valid in a very limited thread model. In most PWAs, the client will play a major role in XSS prevention, for example. Commented Nov 24, 2019 at 1:00
  • @Jenessa Yes, but the OP is clearly asking about a user making changes in their own system: "Will an end user not belonging to the AppAdmin or AppManager groups be able to modify in their web browser" Commented Nov 24, 2019 at 1:24

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.