Should stuff be double checked on logic aside of the HTML?


#1

Lets say I have this html:`

<button class="sitios" ion-button [disabled]="!positioning || !marker || !pois || pois.length == 0" (click)="qq()">
      Test
</button>

Should I test for security reasons in the qq() method if !positioning || !marker || !pois || pois.length == 0 from [disabled] meets the condition?

Thanks!


#2

I would say “no”. There are two situations to worry about here:

  • Angular is broken, in which case the user gets confused. A button that shouldn’t be clickable is clickable. Not a big deal from a security perspective, and something that is the framework’s responsibility, not the app’s.

  • qq() does something inherently requiring specific permissions, and the user absolutely shouldn’t be able to do that thing unless all those conditions in [disabled] are aligned properly. A big deal from a security perspective, but also one that is completely incapable of being handled within the app, period. The restriction would have to be enforced on a server.

It may be worthwhile both for readability and performance sake to collapse that complicated [disabled] expression into a single controller property, though.