Restrict access to router with flow router

I have an app (still in infancy) which uses iron-router to validate user credentials based on routes. Now I have this:

except: [‘login’,‘install’]


I intend to refactor my code to use flow-router which I am hours into reading about. How can I implement this sort of code in the middlewares so that I can tell it which routes to specifically check login credentials. I will at a later stage have segments for admins, authors and different role based route authentication.

Kindly assist

flow-router grouping

1 Like

Thanks @mrzafod, I managed to do it with that. Now I have to find a way to render my master template and inject partials. Do I open a new thread on the same? I guess so

Remember that route control doesn’t provide actual security. You can stop people from navigating to the page like normal users, but I can still get there if I really want to because I’m a 1337 hax0r. You still send the code and templates for that page to people who aren’t allowed to go to that page.

Just use flow-layout

I have been grapling with that as well… so how can we mitigate against such or it’s something Meteor still has no answer to since we send down all the HTML/JSS code that is on client to the browser?

Is there a way I can conditionally send down HTML?

Client side code is not a real security hole. what we can see:

Template["basesEdit"] = new Template("Template.basesEdit", (function() {
  var view = this;
  return HTML.SECTION({
    "class": [ "wrap", " ", "has-left-aside" ]
  }, Blaze.If(function() {
    return"tmpl"), "baseId"));
  }, function() {
    return [ null, Blaze._TemplateWith(function() {
      return {
        baseId:"tmpl"), "baseId"))
    }, function() {
      return Spacebars.include(view.lookupTemplate("wgLayout"));
    }), null, Blaze._TemplateWith(function() {
      return {
        baseId:"tmpl"), "baseId")),
        currentPage:"state"), "data", "currentPage"))
    }, function() {
      return Spacebars.include(view.lookupTemplate("wgAsideLeft"), function() {
        return HTML.ARTICLE(Blaze._TemplateWith(function() {
        }, function() {
          return Spacebars.include(view.lookupTemplate("basesEditAsideMenu"));
    }) ];

Can any one hack my service? No! But routing is for fetching a chunk of server data (check user’s permissions here!) and rendering a view (views)