1

We have the angularjs application where we have different roles associated to the users. For ex: the two roles are Admin and Local. Based on the role, we show some menu items for the Admin and adds more features/screen to the Admin .

The userInfo with the Admin Property is returned from the login response and based on what we decide which all menu and screens to be rendered .

But if we user the developer tool, and the set the break point where the admin property is used, and set the admin property as true the user even he is a local user would be able to access admin privileges .

In short who has some idea about the javascript code can get the admin privileges . Is there any idea other than minification of the code to prevent this kind of security threats

Thanks

rahulmr
  • 681
  • 1
  • 7
  • 19
  • 3
    You should rely on serverside to return correct menu items based on the role. Never trust clientside, because it can always be manipulated. – matox Nov 23 '16 at 09:05

1 Answers1

1

As the front-end of your application will run on the client machine there is actually no way to stop a user from debugging or modifying the code. Thus it's impossible to prevent someone from tricking their local instance of the application to think it's signed in as an administrator.

If you simply want to hide the admin interface, one possibility is to have separate (or additional) templates for administrators and restrict access to these based on the user's privilege. If there is anything to be gained from this is up to you. You will still need to validate the rights to execute any privileged action on the server anyway. Obtaining administrative privileges on the client must never be the same as obtaining them on the server side.

user1421750
  • 1,200
  • 2
  • 9
  • 16