1

I'm in the process of designing an application I want to write using Angular 2 and had some basic questions that could have a major effect on the overall design and I'm just stumped with how to do it the "right angular way". My questions are:

1) Dynamic Routing Question: I don't like the way that the docs have recommended right now where they put all the routes in at the beginning in the root component. I want to be able to dynamically add/remove from the route configuration object as secure component modules are initialized and the user is verified to have access to that particular area/module. For example: The root app.component does an initial setup of the application, including setting up the initial public route configuration for the public portion of the application. If a user logs in successfully, then AT THAT POINT, I want to initialize, the secure component and dynamically add the general secure routes to the router. I want to do the same with any secure child components such that, the "parent component" of an area will define what routes that a user has access to and add those accordingly to the route configuration when that parent component is initialized and user has been verified to have access to that component. So, is this even possible? In the examples the route configuration is a constant but I was hoping that I could do this via component appending to the route configuration.

2) Component level permissions: In addition to having access to a whole component, there are also permissions inside that component that a user may have (example: a user has access to the equipment module. Within the equipment module, they have access to read the equipment list but they cant CUD them.). I want to be able to store a user's permissions in the db in a . type record (for example: "userID, 'equipment.retrieve'". Then I'd like to create a structural directive that accepts a property of what permission has access (i.e. permission="equipment.retrieve") and hides the element if it evaluates to false. My question here is if this is enough security on the client side for permissions? I have authorization checks on the api level that should block a user anyway if they dont have permissions, but I want to make sure I'm doing this the best way on the client side.

I'd love any feedback I could get.

JakeHova
  • 1,189
  • 2
  • 15
  • 36

1 Answers1

1

You need to load all routes at once, but you can load them again later like

router.resetConfig([
 { path: 'team/:id', component: TeamCmp, children: [
   { path: 'simple', component: SimpleCmp },
   { path: 'user/:name', component: UserCmp }
 ] }
]);

This way you can modify the routes array at any time and then reset the router configuration to the new updated routes array.

See also New Angular2 router configuration

https://github.com/angular/angular/issues/11437#issuecomment-245995186 provides an RC.6 Plunker

Community
  • 1
  • 1
Günter Zöchbauer
  • 623,577
  • 216
  • 2,003
  • 1,567
  • That's interesting. I guess I can create a service to maintain and update the route configuration. Not as clean as I wish it was, but it'll work. Thanks! Any thoughts on the permissions access? – JakeHova Jul 20 '16 at 02:22
  • Not sure what the permissions access is about. The structural directive approach seems reasonable. To "enough security" - security has to be endorced on the server, if it's done on the client it's not secure at all. On the client its just like a curtain anybody can remove easily to see what he wants. – Günter Zöchbauer Jul 20 '16 at 03:05