Skip to content
This repository has been archived by the owner on Aug 30, 2021. It is now read-only.

Guest role added to State doesn't allow guest access #1098

Closed
mleanos opened this issue Dec 11, 2015 · 0 comments
Closed

Guest role added to State doesn't allow guest access #1098

mleanos opened this issue Dec 11, 2015 · 0 comments
Assignees
@codydaig
Labels
issue:bug
Milestone
0.5.0

Comments

@mleanos
Copy link
Member

mleanos commented Dec 11, 2015

When adding the guest role to any client route's data.roles array, it doesn't have any effect on the resolving of that route; the route is inaccessible to the unauthenticated user.

To reproduce, just add the following to this route config articles.client.routes

data: {
  roles: ['guest']
}

Currently, this route is accessible to unauthenticated user because of how the core client app init $stateChangeStart is working.

It doesn't take into account that when the toState.data.roles has length, but there's no authenticated user. It just continues processing and never checks for guest access.

I realize that if a client route has guest access, then the data.roles probably wouldn't have any other roles defined; and most likely, it would not have this setting on the route. However, this is still a bug because of the intended use of data.roles is to allow complete flexibility,& the developer should have complete control.

One should be able to define a client route with data.roles = ['user', 'admin', 'guest'], or any combination that suits their needs.

The simple fix is to add || role === 'guest' to the $stateChangeStart code like so, and should satisfy this bug..

var allowed = false;
  toState.data.roles.forEach(function (role) {
  if ((Authentication.user.roles !== undefined && Authentication.user.roles.indexOf(role) !== -1) || (role === 'guest')) {
    allowed = true;
    return true;
  }
});
@mleanos mleanos mentioned this issue Dec 11, 2015
Merged
@lirantal lirantal added this to the 0.5.0 milestone Dec 18, 2015
mleanos added a commit to mleanos/mean that referenced this issue Dec 30, 2015
@mleanos
fix(core): Client routes guest access bug
bfcfb55 
Adds a check for the existence of the "guest" role in the state configuration
that we're transitioning to, in the core $stateChangeStart event handler. If
it exists, then we allow access.

Also, added validation of Authentication.user object. While writing
tests, I ran into an issue here when the Authentication service wasn't injected
into a controller. Probably best to have this check in place.

Fixes meanjs#1098
lupinthethirdgentleman pushed a commit to lupinthethirdgentleman/mean-dashboard that referenced this issue Aug 5, 2021
fix(core): Client routes guest access bug
a0feddb 
Adds a check for the existence of the "guest" role in the state configuration
that we're transitioning to, in the core $stateChangeStart event handler. If
it exists, then we allow access.

Also, added validation of Authentication.user object. While writing
tests, I ran into an issue here when the Authentication service wasn't injected
into a controller. Probably best to have this check in place.

Fixes meanjs/mean#1098
This was referenced Apr 7, 2022
Open
Open
Open
Open
Open
Open
@SibuStephen SibuStephen mentioned this issue Apr 15, 2022
Open
@snyk-bot snyk-bot mentioned this issue Apr 16, 2022
Open
@SibuStephen SibuStephen mentioned this issue Oct 5, 2022
Open
@rx007 rx007 mentioned this issue Nov 27, 2023
Open
@SibuStephen SibuStephen mentioned this issue Nov 28, 2023
Open
@isp1r0 isp1r0 mentioned this issue Nov 29, 2023
Open
@SibuStephen SibuStephen mentioned this issue Nov 30, 2023
Open
@rx007 rx007 mentioned this issue Nov 30, 2023
Open
@isp1r0 isp1r0 mentioned this issue Nov 30, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@codydaig codydaig

Labels
issue:bug
Projects
None yet
Milestone
0.5.0
Development

No branches or pull requests
3 participants
@lirantal @codydaig @mleanos