I encountered several security authorization issues during the web development process. Please ask my friends for advice.
List of Questions:
1. In back-end development, are authorization logic and business logic separated? How is authorization logic organized?
2. In the MVC architecture web application, the view part needs to display a menu list of a column. According to the user's different roles/authorities, the content of the menu list is also different. Regular users and paid users. How to deal with a scenario like this?
+1) After the back-end logic is processed, the data is handed over to the view template and traversed for rendering?
+2) The backend returns basic data, dynamically processes it in the view, and dynamically generates menu items?
3. When the front-end and back-end are separated, the back-end is responsible for the API and the front-end vuejs. How to deal with the problems in question 2?
4. How is security authorization designed for sites such as Zhihu, Douban, segmentfault, etc.?
Are the two different authorization schemes acl and rbac used at the same time? What are the scenarios?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
I saw an article: How to control permissions in a project based on RESTful-style API with front-end and back-end separation
https://www.v2ex.com/t/277765