六月麦田

We always use an ACL module to control if a UI component displays in the screen for current user. For example, Client ACL attend to prevent a read-only user from creating new object by hiding “New” button. But considering that the client application is actually an user interface which runs on client machine and communicates with the server through the Internet, data can be changed easily in the long way from browser to the server. Although client code, Javascript for example, do hide the “New” button, the user is able to display it with browser tool like firebug. One even doesn’t need the button but just calls the Javascript function directly to invoke the hidden feature. So the real ACL must be built on the server side – “safe area”, instead of client side which is out of control.
Never see “client ACL” as an ACL issue – it’s indeed an business logic. It’s just data set by which client code can decide whether show UI component – nothing else.
It sounds easy, but unfortunately, we came to such an issue today on a product released months before.