I'm fairly new to the server-side aspect of web development, and I'm trying to selectively display certain elements depending on the user's access privileges (i.e. whether he's an admin or not). I was thinking of doing something like this using Pug.:
<body>
<h1> Header </h1>
if locals.is_admin
p.admin-only Admin-only Content
</body>
I would assume this data is discarded after the page is created from the template, but I know better than to trust my assumptions when security is involved. So, would this be safe to do?
Are the locals passed to
res.render()secure enough to contain sensitive information?
It depends. Locals passed to res.render() are just variables in your server so they have no more vulnerability than any other variables in your server. They are garbage collected by the JS engine as soon as your code is no longer using them and res.render() has completed its rendering operation.
The "it depends" part is because it depends upon what your template does with the data. If the template includes any of that data in the rendered HTML file, then that will be sent to the client and it is most certainly NOT secure in any way.
But, if your rendering logic determines that the user is not an admin and therefore does not include any of the sensitive information in the rendered HTML file, then that information will not leave your server. So, it's really up to the logic in your template file to determine what of the locals leaves the server and to whom (what user) it is sent. That's where your security issues would or could be. Are you securely and correctly determining who has administrative privileges, is your template properly using that determination to make sure it doens't disclose information to the wrong user and are you sending administrators data that you should be sending them?