I do two things. One is convenience- on the client side, I make it
difficult for users to edit things they shouldn't. I settled on polluting
$rootScope a little bit with a globals object that stashes stuff like
currentUser and so on (things relevant to currently-logged-in user that may
be of interest on many pages, and don't change route-by-route). So if the
user views someone else's profile, they don't see an edit button. I just
use ng-if statements to handle conditional rendering.
however.
You can't trust the client, at all. They could always issue curl requests
direct on your REST endpoint, or fiddle the javascript state to make
themselves have a different currentUser than the password they logged in
with.
So you need to also protect this stuff on the server side. I do this by
attaching a bearer token to the http request headers:
$http.defaults.headers.common['Authorization'] = "Bearer #{apiToken}"
Then my back end doesn't do anything that's not authorized by that
particular token, even if the front end has been hacked to emit the request.
also.
I'd consider changing your routes up. To me, it looks like you want to have
example.com/accounts/2 and accounts/2/edit. Then accounts/:id can display
information for each account, and you might use that to display a profile
of that user if :id != currentUserId and the edit page if it does. I use
ui-router, so I'm not sure if this is possible in vanilla-router, but you
could either reject the route change or fiddle with the resolve or even
controller blocks on that route to push the user to a different route if
they're not authorized.
hth
e
On Tue, Jun 17, 2014 at 6:26 AM, Billy Figueroa <[email protected]> wrote:
> Hi All,
>
> I want to know how you guys go about preventing edits by non authorized
> users in angularjs using rest.
>
> For example, currently a user can login and edit his account. Take for
> example the webpage he is sent to to edit...
>
> www.somesite.com/edit/2/account
>
> 2 being the user id.
>
> Now that that user is logged in, he can manipulate the url and enter
>
> www.somesite.com/edit/*3*/account
>
>
> I have no current way to prevent this and I have been playing around with
> it but haven't found a great solution. So far I have been checking the
> current user's id compared to the user_id in the routeParams
>
> the route for example looks like this...
>
> .when('/edit/:user_id/account', {
> templateUrl: '../views/account.php',
> controller: 'MemberAccountController',
> restrict: true,
> name: 'account'
> })
>
>
> I am using $routeChangeStart event to try to settle this
>
> Any input will help.
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "AngularJS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to [email protected].
> Visit this group at http://groups.google.com/group/angular.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"AngularJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/angular.
For more options, visit https://groups.google.com/d/optout.
