Angular – How to implement ACL / role based authorization with angular 2

aclangularrole-base-authorization

What is the best way to implement ACL / paper-based with angular 2?

My scenario, in a nutshell, is this: The roles are dynamic and are based on the permissions that the client can configure that can also be dynamic.

I need to prevent the user from having access to a particular resource that he is not authorized to do. For this I thought of using the concept of Guards of the Angular. With CanActivate Guard I could set whether to let the user pass or not, based on information I would put in each route. This information would be the name of the resource to which that route refers. When I got to the guard I could compare with his role and see if his role has access to this feature and whether or not to allow navigation.

But with that in could fall into two more problems:

1 – How to redirect the user to a resource that he has access to? Would I have to list the route files and look for someone who is compatible with his role and then redirect there?

2 – How to disable components that it can not see on pages that it can access? For example, it has access to the listing page X but it does not have access to create a new item, so I need to remove the Create Something button. Or rather, how to do this with divs elements that contains specific information for some roles but not for the role of it?

I would like to know how best to approach this scenario within the angular ecosystem.

Thanks for listening.

Best Answer

You can try to use ngx-permissions library for this. It supports, then, else syntax, lazy loading, isolated lazy loading. Add the library to the project:

@NgModule({

 imports: [
    NgxPermissionsModule.forRoot()
 ] 
 })
 export class AppModule { }

Load Roles

NgxRolesService
 .addRole('ROLE_NAME', ['permissionNameA', 'permissionNameB'])

 NgxRolesService.addRole('Guest', () => {
  return this.sessionService.checkSession().toPromise();
 }); 

 NgxRolesService.addRole('Guest', () => {
     return true;
 });

use in templates

<div *ngxPermissionsOnly="['ADMIN', 'GUEST']">
  <div>You can see this text congrats</div>
</div>

protect Your Guard

const appRoutes: Routes = [
 { path: 'home',
component: HomeComponent,
canActivate: [NgxPermissionsGuard],
data: {
  permissions: {
    only: ['ADMIN', 'MODERATOR'],
    except: ['GUEST']
   }
  }
 },
];

For detail documentation checkout wiki page.

Related Solutions

Multiple levels of authorization, not only role-based

After a long time I finally found an answer that satisfies all my requirements: http://lostechies.com/derickbailey/2011/05/24/dont-do-role-based-authorization-checks-do-activity-based-checks/.

His solution is to consider everything as an activity, the permission to execute/call/whatever an activity is given to a role and users can have multiple roles.

What shines in this approach is that the permission check is done on the activity itself, not on the roles.

Javascript – In Angular, how do you determine the active route

With the new Angular router, you can add a [routerLinkActive]="['your-class-name']" attribute to all your links:

<a [routerLink]="['/home']" [routerLinkActive]="['is-active']">Home</a>

Or the simplified non-array format if only one class is needed:

<a [routerLink]="['/home']" [routerLinkActive]="'is-active'">Home</a>

Or an even simpler format if only one class is needed:

<a [routerLink]="['/home']" routerLinkActive="is-active">Home</a>

See the poorly documented routerLinkActive directive for more info. (I mostly figured this out via trial-and-error.)

UPDATE: Better documentation for the routerLinkActive directive can now be found here. (Thanks to @Victor Hugo Arango A. in the comments below.)

Best Answer

Related Solutions

Multiple levels of authorization, not only role-based

Javascript – In Angular, how do you determine the active route

Related Topic