How to make client application secure in sharepoint

Highlighted
Occasional Contributor

Considering sharepoint development is mostly moving to client side with JSOM, REST api exposed. Even in recent announcement we have Sharepoint framework based on Client side.

With this I am assuming MS really want us developers to develop solution based on Client technology.

I had one question considering above. For any application developed with JavaScript etc, the application runs under the context of current user.

So i want my client application creates/edits items in list through front-end,so i Must provide contribute access to all the users. However, if this is little confidential, e.g Leave rquests, reimbursment reqeusts, I still have to provide users contribute access.

If few of my end users have Sharepoint knowledge, they can very much write javascript code and run that in browser developer console and can add tens of thousands of records to the list in few mins.

For a moment thought may be we can have app only policy and control this with permissions, but again sharepoint-hosted apps do not support app only policy.

I would like to know, what is the best way to handle such scenarios i.e. to have complete client based solution and handle the security as well? I understand we can write have server side code etc the old traditional way with run with elevated prev., but m really interested in client bases applications.

 

NOTE: I had posted this http://sharepoint.stackexchange.com/questions/191274/how-to-make-client-application-secure-in-sharep... , we discussed the obvious, just want to check if we have some suggestion from this community

1 Reply
Highlighted

From what I have seen I don't think you really can, which is a shame since the framework seems very promising. Not being able to elevate privilege's will limit what we can use it for unless Microsoft have something up their sleeve. There is always server side parts but they have dissadvantages, and don't (yet) work on modern pages from what I've read.