I am trying to manage access permissions (Laravel and Backbone.js based SPA) on both roles & subscription types.
Although it is simple to control access to API endpoints based on the quoted criteria, I am not able to figure out how this can be done on frontend. What are the best practices on that?
To sum up the problem, there are basically two things to resolve:
Optionally one could think about permitted routes too. Then, a good practice would be to only return from the backend the ACL for the user and determine from it which items to render in the menu and the screens (what will imply to write some kind of mapper between the ACL and the access control and rendering) or would it be better to return more specific information (e.g. the menu structure).
Can I get any advice on this?
Returning permission detail from API should be enough. For eg. On successful login return all permission which are accessible to user and store it in app's local-storage. Later you can use permission to check whether to give user access to menu/component or not. So based on permissions you can show/hide the menu items.
You can even write a small function which accept one parameter for permission check and it would return true/false based on existence/non-existence. So when ever you require to check permission you can call the permission check function and make decision whether to show/hide the menu item or component.