Restrict access to router with flow router

churcho · May 13, 2015, 11:48am

I have an app (still in infancy) which uses iron-router to validate user credentials based on routes. Now I have this:

Router.onBeforeAction(UserAuth.loginRequired,{
except: [‘login’,‘install’]

});

I intend to refactor my code to use flow-router which I am hours into reading about. How can I implement this sort of code in the middlewares so that I can tell it which routes to specifically check login credentials. I will at a later stage have segments for admins, authors and different role based route authentication.

Kindly assist

mrzafod · May 13, 2015, 12:04pm

flow-router grouping

churcho · May 13, 2015, 1:43pm

Thanks @mrzafod, I managed to do it with that. Now I have to find a way to render my master template and inject partials. Do I open a new thread on the same? I guess so

dmr · May 13, 2015, 7:22pm

Remember that route control doesn’t provide actual security. You can stop people from navigating to the page like normal users, but I can still get there if I really want to because I’m a 1337 hax0r. You still send the code and templates for that page to people who aren’t allowed to go to that page.

fvg · May 13, 2015, 7:28pm

Just use flow-layout

churcho · May 13, 2015, 9:06pm

I have been grapling with that as well… so how can we mitigate against such or it’s something Meteor still has no answer to since we send down all the HTML/JSS code that is on client to the browser?

Is there a way I can conditionally send down HTML?

mrzafod · May 14, 2015, 4:07am

Client side code is not a real security hole. what we can see:

Template.__checkName("basesEdit");
Template["basesEdit"] = new Template("Template.basesEdit", (function() {
  var view = this;
  return HTML.SECTION({
    "class": [ "wrap", " ", "has-left-aside" ]
  }, Blaze.If(function() {
    return Spacebars.call(Spacebars.dot(view.lookup("tmpl"), "baseId"));
  }, function() {
    return [ null, Blaze._TemplateWith(function() {
      return {
        name: Spacebars.call("basesEditElement"),
        baseId: Spacebars.call(Spacebars.dot(view.lookup("tmpl"), "baseId"))
      };
    }, function() {
      return Spacebars.include(view.lookupTemplate("wgLayout"));
    }), null, Blaze._TemplateWith(function() {
      return {
        baseId: Spacebars.call(Spacebars.dot(view.lookup("tmpl"), "baseId")),
        currentPage: Spacebars.call(Spacebars.dot(view.lookup("state"), "data", "currentPage"))
      };
    }, function() {
      return Spacebars.include(view.lookupTemplate("wgAsideLeft"), function() {
        return HTML.ARTICLE(Blaze._TemplateWith(function() {
          return Spacebars.call(view.lookup("."));
        }, function() {
          return Spacebars.include(view.lookupTemplate("basesEditAsideMenu"));
        }));
      });
    }) ];
  }));
}));

Can any one hack my service? No! But routing is for fetching a chunk of server data (check user’s permissions here!) and rendering a view (views)