Client side showing , hiding is risky

I have a div which contains a button .I am initially setting div display:none & depending upon the user rights i am showing it to user using javascript.

&开发者_运维问答lt;div id="mydiv" style="display:none">
    <asp:Button id="btn" runat="server"/>
</div>

PageMethods.GetRights(onsuccess);

function onsuccess(result){
   if(result.isaccessible)
   {
      $("#mydiv").show();
   }
}

Is Showing,Hiding at client risky. I dont want to use updatepanel if it is risky what is an alternative to this i have?

Anyone could view this div if they changed the display to "block" with an html inspector. If you are wanting this information to remain private I would suggest a different way of doing this.

The first, and the best way, is to skip the JavaScript and use the server to check the user's rights and display the div.

The second way is to make an Ajax call. If you would like this to work with JavaScript than I would suggest using an ajax call to the server in order to get the information you want. Let the server check the user rights and return the div on success. Then simply replace the div's html with that returned from the server. Something like this might work:

var getHiddenDiv = function(){
   $.ajax({
      url: yourUrl,
      type: GET,
      success: function(data){
         $("#mydiv").html(data);
      }
   });
};

You'll need to re-check if the user has access to this functonality when they click the butotn and the request is posted to your server..

An easier way to handle this is to add a class to the body

< body class="logged_in" >

if they are logged in..

Then css rules

#mydiv { display: none; }
.logged_in #mydiv { display: block; }

It all depends on y our app structure. If the data in the hidden div confidential, then by no means setting it's display to none a secure method since the client has full access to all client side data. But when talking about a button that invokes a back-end behavior, you should also be doing back-end validation on all requests.