防弹使用ACL AngularJS [英] Bullet-Proof ACL using AngularJS

问题描述

我是新来AngularJS并试图抓住实施访问控制层，使一些网页/菜单将被某些用户隐藏的概念。

I am new to AngularJS and trying to grasp the concept of implementing an access control layer so that some pages/menus will be hidden from certain users.

我通常实现ACL和后端（PHP / MySQL的）所有路线，但是这个项目需要我做在客户端只的一切

I usually implement ACL and all routes on the back-end (PHP/MySQL) but this project require me to do everything on the client side only.

我们有一个远程服务器负责验证，并成功登录后，让我知道是否显示附加信息将返回 is_admin 标记。

We have a remote server that is in charge of authentication and upon successful login, will return an is_admin flag so that I know whether to display the additional info.

虽然不太可能，因为角度也是渲染引擎，并负责所有的逻辑，恐怕用户将能够使用浏览器的开发工具和/或其他第三方工具来打，并获得进入这些地区（因为所有脚本＆放大器;逻辑将在浏览器中可见到它们）。

Although not likely, since Angular is also the rendering engine and is in charge of all the logic, I am afraid that users will be able to play with browser developer tools and/or other 3rd party tools and gain access to those areas (since all scripts & logic will be visible to them in the browser).

所以，如果我这样做：

     if (user.is_admin === true) 
        {
            //display the additional admin data...
        }

一个用户都可能设置 user.is_admin = TRUE 在浏览器中的工具和访问。

A user can potentially set user.is_admin = true in the browser tools and gain access.

通过服务器端渲染，如PHP，用户将永远无法知道这些隐蔽的地方。即

With server side rendering such as PHP, the user will never be able to even know about these hidden areas. i.e

    <?php 
       if ($user->is_admin === true) {...}//user will never ever see that or be able to modify $user properties
    ?>

当然，服务器将继续验证每一个请求，从而利用此漏洞将只允许有限的访问，但似​​乎仍像某些用户隐藏部分的非安全的方式。

Of course that the server will keep on authenticating every request so this exploit will only allow limited access, but still seems like a non secure way of hiding sections from certain users.

我缺少的东西角还是有这样做，以便它的防弹用于客户端的黑客一个更好的办法？

Am I missing something in Angular or is there a better way of doing it so that it's bullet-proof for client side hacks?

推荐答案

隐藏部分的角方法是使用 NG-IF / NG-显示/ NG隐藏指令，如：

The Angular way of hiding sections is with the ng-if/ng-show/ng-hide directives, as in:

<div ng-if="is_admin">...</div>

您不能隐藏的人谁看源代码，或者你在你的应用程序提供的资源这些div。所以不提供管理数据，这些看法。

You can't hide those divs from people who look at the source, or the resources you make available in your app. So don't provide admin data to those views.

我的做法是使一个admin的应用程序，除了他们之间的标准应用程序和链接。通过这种方式，暴露的唯一的东西是链接到管理网站，这被封锁，以非管理员用户：

My approach was to make an "admin" app in addition to the "standard" app and link between them. This way, the only things exposed are links to the admin site, which are blocked to non-admin users:

<div ng-if="is_admin"><a href="/admin/#/link">Link</a></div>

所有请求我的 /管理/ * 页面返回401状态code，如果他们不是管理员。剩下的资源也会返回401状态codeS为宜。

All requests to my /admin/* pages return a 401 status code if they are not an admin. The REST resources also return 401 status codes as appropriate.

（编辑：以上改变纳克隐藏到 NG-如果共进晚餐preSS在这些div所得的DOM。）

( changed above ng-hide to ng-if to suppress those divs in the resulting DOM.)

这篇关于防弹使用ACL AngularJS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！