0

I have an angular app, where each time I try to access a secure route, I first send a request to the server to verify my token. If the token is valid, I send an object to the client with the user's details, and a field telling me whether the user is an admin or not. On some pages, I want certain divs to be seen only by admins, so I do this:

<div ng-if="userData.isAdmin">Admins Only</div>

Is this scheme of mine secure enough? I'm not sure, because hackers with sufficient knowledge in angular may try to change my variables. I did come across a similar discussion in the link below:

using ng-if to secure different content on page angular js

However, I don't quite understand what their conclusion is. Are they trying to say that client side apps simply aren't secure enough, or is there some better trick in angular that can give me what I need?

Thanks.

Improve this question
3
  • It's not very secure... nothing stopping anyone from going in the console and flipping userData.isAdmin to true. Commented Jan 18, 2016 at 16:02
  • It is not secure against someone fiddling around with the javascript debugger. The secure way is to fetch the admin data/content using $http or something like that. Commented Jan 18, 2016 at 16:04
  • Can you provide a simple code example of the best way to do it? Commented Jan 18, 2016 at 16:09

1 Answer 1

Reset to default
0

Here is, how it is done quite often - your admin.html looks like:

<div ng-if="userData.isAdmin">
<div ng-repeat="data in secureData">{{data}}</div>
</div>
<div ng-if="!userData.isAdmin">
Access denied
</div>

And you acquire data in controller: secureData = $http('/api/secureData'...) Now, all you need is to add check on server for /api/secureData call.

So you secure data, not html templates.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I see your point, but if the secureData contains, for example, links that when you click them an event is broadcast to rootscope, will the hacker be able to mock the secureData in the debugger and broadcast that event?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.