Exposing permissions to frontend can be dangerous

[HommeSauvage]

Using something like @casl/react for the frontend can be tempting, as you won't have to write a lot of code to hide and show elements. However, I think this can be dangerous.

Sending all the permissions JSON with a user object (or worse, defining them on the frontend) bears the risk of showing these permissions to a potential hacker who can then target users with elevated permissions to try and hack them to gain access.

This would be more difficult if no permissions are displayed as this will make the hacker try to guess who's the user with elevated permissions.

So I think, it's better to keep all those permissions on the backend only and for the frontend, use simple permissions like:

{ canViewSectionA: true, canViewPageB: true, canDoAnAction: true }

These can be very high level and not specific to any subject, just general boolean values, then it's up to the backend to validate the abilities of the the user.

[stalniy]

Depending on the use case and business model. First of all, In case api shares permissions, it should do this for a logged in user only. There are no risks in knowing what you can do as a user in a system

but in case your API model is very different from frontend model or if you want to keep dependency on casl only in backend then Boolean flags is a way to go

[stalniy]

Keep in mind that permissions is about access to data not about access to ui sections