0
mohamed emaish created
Menu is rendered with respect to permission, but user still able to access the page if he write it in the url; what is your suggestion to handle this using Abp framework?
3 Answer(s)
-
0
Hi Mohamed,
There are three level of security we can provide in angular-side:
- We should not create menu items if user has no permission to that page. This prevents user to click the menu to enter to the page.
- We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.
- We should check permission on every application service method call. This prevents user to access/change data in that page.
A hacker can overcome 1 and 2 by changing javascript code in the client. Nothing to do for that. But he can not call services. Thus, he can not see or change data. He see just only template of the page and it's nothing. This is the actual security.
-
0
<cite>hikalkan: </cite>
- We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.
how can You check permission in client side?
-
0
if(abp.auth.hasPermission('...')) { ... }I will add it to docs.
Have an answer to this question?
Log in
and write your answer.