Search code examples
angularjsmobileionic-frameworkhybrid-mobile-app

When and how should I check what active organisation a user has?

I am building a hybrid mobile app using AngularJS and Ionic as front-end.

Each user belongs to an organisation. But it is possible to change which organisation a user belongs to on the server and in a different web application.

The user can do some things in the web app:

  • Get data about the organisation
  • Post, put and delete data about the organisation

Each of these requires an API call to get the relevant information.

Now my question is, when and how should I check which organisation the user belongs to?

  • Should I send an API call before every get, post, put and delete to check which organisation the user belongs to?
  • If yes, then what it a nice way to organize this organisation checking without having it tangle up all my other code?
Solution

  • It sounds like what you're trying to get at is permissions for the user to edit, etc. the organization only when they belong to it. That should be done server-side for the following reasons:

    • It keeps the access control coupled to the operation, so the server can prevent disallowed reads/changes even if there's a bug in the client.
    • It stops malicious users from bypassing the membership check altogether, which they can do if the client is all that's enforcing the rules.
    • It avoids the API calls you're worried about that constantly need to recheck the user's membership, as well as the race conditions if membership changes between the check and the next call.
    • It handles both your Ionic client and your other web client, and lets you expand to more clients in the future, without each having to duplicate the checking logic.
    • Similarly, it lets you modify your permissioning logic in one place, for example if you wanted to differentiate users who can read the organization from admins who can edit it.

    Once the server is solid, there are only a few places you'll need to sync the user's memberships:

    • At app startup, unless you keep a cache from the last use and that's good enough.
    • On some schedule as they use the app, if memberships change frequently enough that you want to sync quickly. Perhaps whenever they visit their list of organizations.
    • When the user does something in the app to invalidate the cache, like join or leave an organization.
    • When an API call about an organization fails, because the user may no longer be a member.