3

On my Single Page App I am using MSAL.js to authenticate users and to also extract the groups they belong to by using Microsoft Graph endpoints. I save to a variable the Specific groups the user belongs to. According to the content of that variable, a different Home Page will be rendered. The code looks like this:

if (user.group == 'AppAdmin') {
    return (
        <div className='h1'> Admin Dashboard</div>
    );
} else if (user.group == 'AppManager') {
    return (
        <div className='h1'> App Manager Dashboard</div>
    );
} else {
    return (
        <div className='h1'> User Dashboard</div>
    );
}

user.group contains the group the user belongs to in Active Directory.

Will an end user not belonging to the AppAdmin or AppManager groups be able to modify in their web browser the variable user.group value to fool the browser into rendering admin or manager content?

xxx
  • 167
  • 8
user5950
  • 133
  • 4

1 Answers1

11

It's not just that they can modify the variable to show whatever dashboard they want - the fact is that they have full control over the app, can view all code, can view all data in the app, etc... The client has full control over the app, so if you have any data, logic, or code that you don't want users to see, your only option is to never send it down.

Client side checks have only one purpose: to provide a nice user interface for users. They have no security value whatsoever.

Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • The aspect of the client side providing no security is only valid in a very limited thread model. In most PWAs, the client will play a major role in XSS prevention, for example. – Jenessa Nov 24 '19 at 01:00
  • @Jenessa Yes, but the OP is clearly asking about a user making changes in their own system: "Will an end user not belonging to the AppAdmin or AppManager groups be able to modify in their web browser" – Conor Mancone Nov 24 '19 at 01:24