Restricting Access to Certain Routes

[jrogozen]

Hi,

This is my first time implementing login/oAuth so first I'd just like to say a huge thank you for providing this and devise-token-auth. It's been frustrating, but I've learned a lot and feel like I've made some significant progress.

I'm using Rails as an api/backend with an Angular frontend. Currently, I have oAuth sign in working, but I'd like to make some routes ('/admin/*'), restricted to a single member. I don't really want to deal with having multiple user types, because at the moment, there will only be one admin. I've tried playing around in my head with a couple ways of doing this ... but I'm guessing that the easiest way to do it would be to make an 'admin' boolean in my user table.

I then want to set a $rootScope.$on('$routeChangeStart) to see if someone is trying to access '/admin/x' and if they aren't signed in + an admin, to redirect them to homepage.

Currently, this check looks something like this ...

$rootScope.$on('$routeChangeStart', function (ev, next, current) {
  // redirect admin paths if they are not admins

  var adminRoute = function(route) {
    return _.str.startsWith(route, '/admin');
  }

  var isAdmin = function() {
    $auth.validateUser()
      .then(function(user) {
        if (user.admin) {
          return true
        } else {
          return false
       }
    });
  }

   if (adminRoute($location.url()) && !isAdmin) {
     ev.preventDefault();
     $location.path('/sign_in');
   }
  });

This doesn't seem to work. I think that because $auth.validateUser(); is returning a promise, and then I'm doing the boolean check after it's resolved, I miss the time period in which I can successfully redirect using $location.path() in the $routeChangeStart function.

Is this an okay way of doing this? Are there other security concerns I should be aware of? Is there a fix to this?

Thanks so much!

[lynndylanhurley]

I recommend using the $q module for this.

Try this:

// use make sure to inject the $q library

var isAdmin = function() {
  // create promise
  dfd = $q.defer();

  $auth.validateUser()
    .then(function(user) {

      if (user.admin) {
        // resolve the promise if user is admin
        dfd.resolve();

      } else {
        // reject the promise if user is not admin
        dfd.reject();
      }
  });

  // return the $q promise
  return dfd.promise;
}

if (adminRoute($location.url()) {
  // if user is not admin, redirect to sign-in page
  isAdmin().catch(function() {
    $location.path('/sign_in');
  })
}

[jrogozen]

Thanks for the fast response. I couldn't get this to work (same problem as before).

But, this does seem to work:

.when('/admin', {
  templateUrl: "admin.html",
  resolve: {
    auth: function($auth) {
      return $auth.validateUser();
    }
  }
})

and

$rootScope.$on('$routeChangeSuccess', function (ev, next, current) {
  if (adminRoute($location.url()) && !isAdmin()) {
    flash.error = "You must be an administrator to access that page."
    $location.path('/')
  }
});

$rootScope.$on('$routeChangeError', function (ev, next, current) {
  flash.error = "Please login."
  $location.path('/sign_in');
})

[lynndylanhurley]

@jrogozen - closing this issue, please re-open if you run into any more trouble.