Open Closed

Securing angularJs views #13


0
mohamed emaish created

Menu is rendered with respect to permission, but user still able to access the page if he write it in the url; what is your suggestion to handle this using Abp framework?


3 Answer(s)
  • 0
    hikalkan created

    Hi Mohamed,

    There are three level of security we can provide in angular-side:

    1. We should not create menu items if user has no permission to that page. This prevents user to click the menu to enter to the page.
    2. We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.
    3. We should check permission on every application service method call. This prevents user to access/change data in that page.

    A hacker can overcome 1 and 2 by changing javascript code in the client. Nothing to do for that. But he can not call services. Thus, he can not see or change data. He see just only template of the page and it's nothing. This is the actual security.

  • 0
    behiunforgiven created

    hikalkan:

    1. We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.

    how can You check permission in client side?

  • 0
    hikalkan created
    if(abp.auth.hasPermission('...'))
    {
        ...
    }
    

    I will add it to docs.