Angular ACL
About
Angular ACL (Access Control List) is a service that allows you to protect/show content based on the current user's assigned role(s), and those role(s) permissions (abilities).
For the purposes of this documentation:
- a resource is an object to which access is controlled.
- a role is an object that may request access to a Resource.
Put simply, roles request access to resources. For example, if a parking attendant requests access to a car, then the parking attendant is the requesting role, and the car is the resource, since access to the car may not be granted to everyone.
Through the specification and use of an ACL, an application may control how roles are granted access to resources.
Quick Examples
First you need to install this library :) It's available via bower or npm:
npm install --save angularjs-acl
bower install --save angularjs-acl
and add a<script>
to yourindex.html
:
<!-- For bower --> <!-- For npm -->
Set Data
Add ng-acl
to your app module's dependencies & setup the AclService
in run()
block.
angular; app;
Protect a route
If the current user tries to go to the /admin_panel
route, they will be redirected because the current user is a user
, and AdminPanel
is not one of a member role's abilities.
However, when the user goes to /posts/2
, route will work as normal, since the user has permission.
app; app;
Manipulate a Template
The edit link in the template below will be shown, because the current user is a user
, and Post
which was created by our user is one of a his role's abilities.
Controller
app;
Template
{{ post.name }}Edit
How secure is this?
A great analogy to ACL's in JavaScript would be form validation in JavaScript. Just like form validation, ACL's in the browser can be tampered with. However, just like form validation, ACL's are really useful and provide a better experience for the user and the developer. Just remember, any sensitive data or actions should require a server (or similar) as the final authority.
Example Tampering Scenario
The current user has a role of "guest". A guest is not able to "create_users". However, this sneaky guest is clever enough to tamper with the system and give themselves that privilege. So, now that guest is at the "Create Users" page, and submits the form. The form data is sent the the server and the user is greeted with an "Access Denied: Unauthorized" message, because the server also checked to make sure that the user had the correct permissions.
Any sensitive data or actions should integrate a server check.