Securing angularJs views #13 | Support Center

mohamed emaish created 9 years ago

Menu is rendered with respect to permission, but user still able to access the page if he write it in the url; what is your suggestion to handle this using Abp framework?

3 Answer(s)

0
hikalkan created 9 years ago
Support Team
Hi Mohamed,

There are three level of security we can provide in angular-side:

We should not create menu items if user has no permission to that page. This prevents user to click the menu to enter to the page.

We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.

We should check permission on every application service method call. This prevents user to access/change data in that page.

A hacker can overcome 1 and 2 by changing javascript code in the client. Nothing to do for that. But he can not call services. Thus, he can not see or change data. He see just only template of the page and it's nothing. This is the actual security.
0
behiunforgiven created 9 years ago
<cite>hikalkan: </cite>

We should not define states (or routes) if user has no permission to that page. This prevents user to enter to the page by writing url.

how can You check permission in client side?
0
hikalkan created 9 years ago
Support Team
if(abp.auth.hasPermission('...')) { ... }

I will add it to docs.

Have an answer to this question? Log in and write your answer.