Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add option to Reset/Delete Routes #1436

Closed
sneila opened this Issue May 18, 2017 · 6 comments

Comments

Projects
None yet
4 participants
@sneila
Copy link

commented May 18, 2017

What problem does this feature solve?

My written application allows non logged users part of the app, which is handled through allowed routes (addRoute()), yet once they log in, a new set of routes are added/replaced. Unfortunate, once he loges out, the routes remain stored, and i can not overwrite these, since these are stored in a private scope.

Offtopic: addRoute() is missed out from the documentation.

What does the proposed API look like?

Either give us a way to delete the routes (deleteRoutes()??), to be able to replace them with AddRoutes
OR, add an argument to addRoutes to overwrite the previous ones.
OR, expose the routes as a public variable that we can manipulate. router.options.routes is unchanged even after addRoutes, but the added routes are correctly routed, even if not shown in the above variable

@posva

This comment has been minimized.

Copy link
Member

commented May 18, 2017

Closing in favour of #1234
As a side note, you shouldn't need to delete previously added routes

@posva posva closed this May 18, 2017

@sneila

This comment has been minimized.

Copy link
Author

commented May 18, 2017

This is what happens:

  • user accesses homepage
  • user gets 4 routes he is allowed to visit
  • user accesses a 5th route he has bookmarked
  • user is being asked to login
  • user logs in, gets 10 routes, including/excluding the old ones (does not matter)
  • user now has access to 10 routes (or 14, whatever).
  • user logs out
  • the router object STILL has 10 routes, and he is able to browse / accesses them
  • (yes, i need now to manage each separate page, to see if he is allowed to access it or not)
  • rather then kill the routes, and overwrite them (which is not possible), i need to literally alter each damn component, to verify if it should or not have access to it.
  • no problem, he logs back in, another 10 routes are added. (at this point the router has 20 routes stored, some of which are duplicate, alternate added routes will be ignored as it will always return the first matched one)

And no, i can not expose all routes to a non registered user, that would be a security/flaw.

@posva

This comment has been minimized.

Copy link
Member

commented May 18, 2017

once the user has access to the 10 routes, there's no point in removing them, because, as you said, you need to add a navigation guard to prevent him from accessing them anyway. From a security point of you, you have already given up the information, so removing them change nothing.
About the duplication, you can save the state somewhere to prevent the duplication
hope it helps 🙂

@sneila

This comment has been minimized.

Copy link
Author

commented May 19, 2017

My app runs in a factory. User A, B, C, are normal factory employees. They have access to the normal routes (the 4 routes we talked above).
User X, Y, Z are Admins, and they go in, the same terminal, to approve the normal user workflow/issues, and they log in, and have access to extra areas/sections (aka the 10 routes)
Once their job is done, they log off, and leave the terminal open for the normal users (A, B, C) to continue work.

In the above scenario, the normal Users, will have now the admin routes loaded, and could use the routes (they can see/find these in the history of the browser).

The only way to prevent this, at this moment, is on logout, to do a hard reload (window.location). This is by far a very ugly hack. I'd rather have an option the remove the routes.

I do understand, that in most cases there is no need to delete/remove routes, yet in my case, and as you can see in the other topic, Apps differ form each other.

@simplesmiler

This comment has been minimized.

Copy link
Member

commented May 19, 2017

@sneila there should be nothing private about available routes in the system. If you think otherwise, please refer to https://en.wikipedia.org/wiki/Security_through_obscurity

If your backend does authorize access to resources, then there is no point in deleting the routes, because regular users won't be able to use them to access the private resources (get/post data) anyway.

If your backend does not authorize access to resources, then you've got much bigger security problems then regular users seeing admin routes.

The proper way to do access control on the client (the UX part, because client is unreliable by definition) is to store the role list of the currently authenticated user, and use that to verify that the user has access to the route when the transition from route to route happens.

@Britford

This comment has been minimized.

Copy link

commented Nov 12, 2018

@simplesmiler while the backend should protect from unauthorized route attempts, this does seem to be a valid use case for the front end. Otherwise, we wouldn't really need addRoute(). Just include every possible route on app load. It might also make displaying appropriate navigation options easier. +1 for deleteRoute().

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.