Base solution for your next web application
Open Closed

Securing angularJs views #13


User avatar
0
mohamed emaish created

Menu is rendered with respect to permission, but user still able to access the page if he write it in the url; what is your suggestion to handle this using Abp framework?


3 Answer(s)
  • User Avatar
    0
    hikalkan created
    Support Team

    Hi Mohamed,

    There are three level of security we can provide in angular-side:

    1. We should not create menu items if user has no permission to that page. This prevents user to click the menu to enter to the page.
    2. We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.
    3. We should check permission on every application service method call. This prevents user to access/change data in that page.

    A hacker can overcome 1 and 2 by changing javascript code in the client. Nothing to do for that. But he can not call services. Thus, he can not see or change data. He see just only template of the page and it's nothing. This is the actual security.

  • User Avatar
    0
    behiunforgiven created

    <cite>hikalkan: </cite>

    1. We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.

    how can You check permission in client side?

  • User Avatar
    0
    hikalkan created
    Support Team
    if(abp.auth.hasPermission('...'))
    {
        ...
    }
    

    I will add it to docs.