angularjs - Angular Js Security Issues Role Based Authorisation -

-

i creating new enterprise application in angular company. excited angular handling roles on client side not working out me.

basically saving token when ever user log's in , before user view page authorisation request sent server role , user details based on token.

after authorisation request data page server returns entire data irrespective of role of user, after use ng-switch , render templates according role.

now problem here trying show , hide data on client side after recieve user information have keep role in scope variable or local storage anywhere on client side. point here if keep on client side can change role , access data want.

so should assume angular not fit app trying display data on client side according roles server because feel if user can see logic , data can play it.

this view

   <div ng-switch="user.data.role">        <div ng-switch-when="admin">             <h1>hello seeing dashboard admin</h1>         </div>          <div ng-switch-when="manager">             <h1>hello seeing dashboard manager</h1>         </div>     </div>

here how fill user variable in controller

app.controller('dashoboardcontroller',  ['$scope','userservice', function ($scope, userservice) {      $scope.authentication = userservice.authentication;     $scope.user = userservice.fillauthdata();     console.log($scope.user);     $scope.greeting = "welcome! dashboard";    }]);

this service method

   var _fillauthdata = function () {          var authdata = sessionservice.get('user');          if (authdata) {             _authentication.isauth = true;             _authentication.data = authdata;          }          console.log(_authentication);         return _authentication;     }

session service getting user data server on basis of token. can see since view descriptive changing role in authdata not big deal.

please me if there work around this. wanted project in angular.

if web service (run on server) returns data client authenticated user not authorized access, web service (server side) has security flaw. there no way can fix client/browser side, regardless of client side framework decide chose. angularjs fine whatever want in browser, web service broken.


Comments

Post a Comment

Popular posts from this blog

javascript - how to protect a flash video from refresh? -

-
<!doctype html> <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8"> <title>flash video refresh</title> </head> <body> <div id="playerzone"><embed height="496" width="580" flashvars="flvid=19742822&amp;createtime=2012-4-19 13:46:33" wmode="opaque" allowscriptaccess="always" allowfullscreen="true" quality="high" bgcolor="#000000" name="player" id="player" src="swf/mine.swf" type="application/x-shockwave-flash"></div> <a onclick="return test();" id="test">click me popup div,and hide scrollbar</a> </body> the code upon: for example,when click a#test button,popup div,it's no problem,but want hide scrollbar while div popup. i used $('html').css('overflow','hidden') in...
Read more

visual studio 2010 - Connect to informix database windows form application -

-
i trying figure out how connect ibm informix database. have been doing research , have found threads 5 years ago examples not working. i have installed latest sdk ibm informix. i have included ibm.data.informix.dll references in project. i have included using ibm.data.informix; i adding button , on click testing conenction. debug error "sql0035n file "c:\users\adam\documents\visual studio 2010\projects\test\test\msg\en_us\db2nmp.xml" cannot opened." this file not exist , dont see anywhere in program files (x86)\ibm informix client sdk directory. my on click code is private void button1_click(object sender, eventargs e) { const string host = "192.168.obfuscated"; const string servicenum = "1525"; //port? const string server = "serverobfuscated"; const string database = "dbobfuscatedy"; const string user = "myusername"; const string password = ...
Read more

android - Associate same looper with different threads -

-
Image
in application, want create multiple threads working on single queue. create queue know need call looper.prepare() . i want other threads create should associated looper created first thread, how can achieve this? use 1 of java thread safe queue class java.util.concurrent package instead of looper achieve goal. it's more common practice. share queue between threads , post task queue entry 1 thread can entry thread. blockingqueue can - in 1 thread call take() , block thread until thread put() entry queue. that's all. producer consumer pattern example blockingqueue or concurrentlinkedqueue about blockingqueue
Read more