Not found route should be protected by guardRoute() #451

Closed
ToddThomson opened this Issue Mar 3, 2014 · 4 comments

Projects

None yet

2 participants

@ToddThomson

I use guardRoute() to check for user authorization. All routes may have a config.authorizedRoles property. Within my app, I do not want to show a view until the user is authorized to view it - even the 'not found' route.

@EisenbergEffect
Member

What should happen then if the route is not found?

@ToddThomson

The point is that the not found route is not protected by the guardroute routine. If a user is not authenticated then the only page I want to show is my login view. I don't care if a route is not found when a user visits the app until they are authenticated they just get the view I choose. I do this through the logic in the guardroute routine.
This isn't a big deal, but all routing should go though guard route.

@EisenbergEffect
Member

As far as I can see in the code, the not found route uses the same code path as every other route. Everything starts at dequeueInstruction and then goes to ensureActivation which calls guardRoute if it's present.

@ToddThomson

I've traced this - Any unmapped routes are processed through queueInstruction( instruction ). If I enter a /#gerb then the route /#notfound is activated without going through guardRoute(). If I enter /#notfound then guardRoute is called. Perhaps the instruction fragment needs to be updated for unmapped routes.

Here is my setup:

        // Lifecycle..
        activate: function() {
            router.map( [
                {
                {
                    route: 'notfound',
                    moduleId: 'viewmodels/notfound',
                    title: 'Not found',
                    nav: false,
                    authorizedRoles: []
                }

            ] ).buildNavigationModel()
              .mapUnknownRoutes( 'viewmodels/notfound', 'notfound' );

            router.guardRoute = function( model, instruction ) {
                system.log( "shell guardRoute(): checking authorization for route:", instruction.fragment );

                if ( instruction.config.authorizedRoles ) {
                    system.log( "shell guardRoute(): route requires authorization check.." );
                    if ( !authorize.isAuthorized( instruction.config.authorizedRoles ) ) {
                        return "/account/login?returnUrl=" + encodeURIComponent( instruction.fragment );
                    }
                }

                return true;
            };
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment