SPA user roles and Angular security

T

theaidem2014-05-24 19:29:32

Angular

theaidem, 2014-05-24 19:29:32

Rich RESTful backend, division of users by roles, a chain of middleware's, etc. I'm
interested in the issue of security, while I'm not very good at practicing Angular, and perhaps a noob question.
Is it safe in the JSON body to drive such fields as IsAdmin, Permissions lists for a specific user. Is it possible to somehow fake / get close to the client code so that it would be possible to force Angular to show, for example, the Admin menu, or something else forbidden for a particular user. It is clear that on the backend I will not let you do what is not allowed. Only the client hack on Angular is interesting

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Andrew, 2014-05-24
@theaidem

Yes, you can, in many ways.
You should always start from an untrusted front end. In fact, the checks implemented at the front are some kind of addition that provides convenience to the user (learn about invalid input right now), but not security.