Users can change their role or permissions in Local Storage

Question

Users can change their role or permissions in Local Storage

Closed this issue 2 years ago · 2 comments

josephgodwinkimani commented 2 years ago

Problem

Using a simple example:

import { usePermify } from '@permify/react-role';

const { setUser } = usePermify();

const login = async (e) => {
    const response = await login(email, password); 

    setUser({
       id: "1",
       roles: ["admin"],
       permissions: ["CREATE", "UPDATE", "DELETE"]
    })

        
};

Once the user is logged in the following is stored in local storage:

As seen above i changed roles from admin to CHANGED and the user can reload the page and see the private component without restriction.

Answer 1 · 2022-10-01T11:30:45.000Z

In my opinion, I think that's expected since any roles/permission set on the client side are just merely to control visualization/rendering of components or even handling specific redirects based on those same constraints. But the feature itself, like listing/deleting a group of resources or executing any other role/permission-based action, for example, should be enforced on the back-end side, not on the client side.

Answer 2 · 2022-12-24T10:09:22.000Z

@fabioferreira3's comment explains the situation clearly, this library purely used for feature flagging on client side and nothing more actually. So I'm closing this issue.