Reputation: 27
Laravel4 + AngularJS. How to secure different routes in backend?
I have a web site based on Larvel 4 framework. And i want to replace current backend with dynamic one, based on AngularJS. Bu i don't understand how to secure different backend routes. Now i have in my routes.php:
Route::group(array('before' => 'manager-auth', 'prefix' => 'admin'), function()
{
// order management
Route::group(array('prefix' => 'orders'), function()
{
// Here order routes
});
// news management
Route::group(array('prefix' => 'news'), function()
{
// Here news routes
});
// all admin functions, no managers here!
Route::group(array('before' => 'admin-auth'), function()
{
// user management
Route::group(array('prefix' => 'users'), function()
{
// Here user routes
});
// group management
Route::group(array('prefix' => 'groups'), function()
{
// Here group routes
});
// page management
Route::group(array('prefix' => 'pages'), function()
{
// Here page routes
});
});
// dashboard
Route::get('/', array('as' => 'admin', 'uses' => 'Controllers\Admin\DashboardController@getIndex'));
});
So anybody from manager or admin group can administer news or orders and view dashboard, but only members of admin group can manage users, groups and pages.
If i understand correctly, the best way to rewrite backend in AngularJS is to use html templates, angular routing and ng-view directive. Laravel in this scenario is only for serving json, validating input and for logging in users.
But how can i implement different secure areas for admins and for managers? Do i need to create Laravel controller and route just for client-side checks for user permissions to do something? Or is there a better way to achieve this functionality?
And is it ok to put backend angular html templates to /public directory?
Upvotes: 0
Views: 2424
Answers (1)
Reputation: 29897
The laravel security/routes remain largely the same, but instead of rendering html it's going to return json files.
Both ngRoute and angular-ui-router have a resolve property which allows you to reject users that aren't allowed to go to a certain route.
But there are multiple ways to solve the routing:
- http://arthur.gonigberg.com/2013/06/29/angularjs-role-based-auth/
- http://blog.brunoscopelliti.com/deal-with-users-authentication-in-an-angularjs-web-app
- etc
Putting backend templates in a public location does give hackers insight into the backend frontend code and could expose an XSS attack surface, but AngularJS >= 1.2 makes it hard to inject html into your views.
I've used a strategy where the templates where in a "protected/" folder which could only be accessed by logged in users.
If you already using grunt I suggest checking out grunt-angular-templates
This allows you to group templates into a single javascript file.
So you'll only need 1 protected laravel route.
Upvotes: 1
Related Questions
- Laravel - Protect API routes
- What is the easiest way to protect api routing in laravel5.4
- Protecting Routes in Laravel 5.3
- Laravel API - protecting route access
- Laravel 5 route protection
- Route protection - Laravel
- Protect routes with middleware Laravel
- Laravel 4 Routes and Security troubles
- Laravel 4: protecting routes provided by a controller
- How to secure Resource or controller route in Laravel and Backbone