Hey Eric,
Thanks for the input, I ll have to tackle this on a more serious note than
I originally thought. This will take some plannng. Sorry for the delay I
was out in Germany for 2 weeks.
I would appreciate anyone else giving some input to see how different
people handle this
On Tuesday, June 17, 2014 10:27:30 AM UTC-4, Eric Eslinger wrote:
>
> I do two things. One is convenience- on the client side, I make it
> difficult for users to edit things they shouldn't. I settled on polluting
> $rootScope a little bit with a globals object that stashes stuff like
> currentUser and so on (things relevant to currently-logged-in user that may
> be of interest on many pages, and don't change route-by-route). So if the
> user views someone else's profile, they don't see an edit button. I just
> use ng-if statements to handle conditional rendering.
>
> however.
>
> You can't trust the client, at all. They could always issue curl requests
> direct on your REST endpoint, or fiddle the javascript state to make
> themselves have a different currentUser than the password they logged in
> with.
>
> So you need to also protect this stuff on the server side. I do this by
> attaching a bearer token to the http request headers:
>
> $http.defaults.headers.common['Authorization'] = "Bearer #{apiToken}"
>
> Then my back end doesn't do anything that's not authorized by that
> particular token, even if the front end has been hacked to emit the request.
>
> also.
>
> I'd consider changing your routes up. To me, it looks like you want to
> have example.com/accounts/2 and accounts/2/edit. Then accounts/:id can
> display information for each account, and you might use that to display a
> profile of that user if :id != currentUserId and the edit page if it does.
> I use ui-router, so I'm not sure if this is possible in vanilla-router, but
> you could either reject the route change or fiddle with the resolve or even
> controller blocks on that route to push the user to a different route if
> they're not authorized.
>
> hth
> e
>
>
>
>
> On Tue, Jun 17, 2014 at 6:26 AM, Billy Figueroa <[email protected]
> <javascript:>> wrote:
>
>> Hi All,
>>
>> I want to know how you guys go about preventing edits by non authorized
>> users in angularjs using rest.
>>
>> For example, currently a user can login and edit his account. Take for
>> example the webpage he is sent to to edit...
>>
>> www.somesite.com/edit/2/account
>>
>> 2 being the user id.
>>
>> Now that that user is logged in, he can manipulate the url and enter
>>
>> www.somesite.com/edit/*3*/account
>>
>>
>> I have no current way to prevent this and I have been playing around with
>> it but haven't found a great solution. So far I have been checking the
>> current user's id compared to the user_id in the routeParams
>>
>> the route for example looks like this...
>>
>> .when('/edit/:user_id/account', {
>> templateUrl: '../views/account.php',
>> controller: 'MemberAccountController',
>> restrict: true,
>> name: 'account'
>> })
>>
>>
>> I am using $routeChangeStart event to try to settle this
>>
>> Any input will help.
>>
>> Thanks
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "AngularJS" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> Visit this group at http://groups.google.com/group/angular.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"AngularJS" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/angular.
For more options, visit https://groups.google.com/d/optout.
