chaplinjs / chaplin

HTML5 application architecture using Backbone.js
http://chaplinjs.org
Other
2.85k stars 232 forks source link

Access Control implementation #848

Open danielesalvatore opened 9 years ago

danielesalvatore commented 9 years ago

Hello there,

I would like to implement a basic access control system using the beforeAction() method of controllers.

Given this scenario:

ChaplinJS 1.0.1

Pages: index.html (public) index.html#private (private)

Routes match('', 'index#show'); match('private', 'private#show');

private-controller.js inherits from a parent controller as it happens in https://github.com/chaplinjs/chaplin-boilerplate-plain. the beforeAction() method of the private-controller.js is implemented as a JS promise using the RSVP.js library and it is correctly resolved.

How can I stop the show() method call if the promise is rejected? On my reject function a redirectTo() is called to bring back the user to the index.

Another issue is that the redirectTo() seems to work just during the first time it is called, so if I type #private on the URL the page is displayed with no consideration of the rejection of the control check and the redirectTo() call.

In case there is some reference about how to implement an access control system with ChaplinJS could you link it as reply?

Here is the code in which the promise always rejects, like if the user has not the rights to see its content.

var privateController = Controller.extend({

    beforeAction: function () {

        Controller.prototype.beforeAction.apply(this, arguments);

        return this.performAccessControlChecks().then(
            _.bind(this.allowAccessControl, this), _.bind(this.denyAccessControl, this))
    },

     performAccessControlChecks: function () {

        return new RSVP.Promise(function (fulfilled, rejected) {

            rejected();
            return;

            //not reachable
            fulfilled();
        });
    }

    allowAccessControl: function () {
        console.log("private#allowAccessControl")
    },

    denyAccessControl: function () {
        console.log("private#denyAccessControl")
        Chaplin.utils.redirectTo('index#show')
     },

    show: function (params, route, options) {
        console.log("private#show")

        this.view = new View({
           ...
        });
    },
    ...