Authorize to access routes

rytis · March 24, 2013, 3:37pm

Hello,

I’m trying to solve a basic problem but I cannot seem to figure out how to do this with Ember. How can I prevent access to routes until App.User.loggedIn is set to true?

These are the routes that I have:

App.Router.map(function() {
    this.route('login', { path: '/' });
    this.route('home');
    this.route('settings');
    this.route('help');
    // ... and some nested routes too
});

The user model:

App.User = Ember.Object.create({
    loggedIn: false
});

I can implement the redirect function of every route like so:

App.HomeRoute = Ember.Route.extend({
    redirect: function() {
        if (!App.User.loggedIn) {
            this.transitionTo('login');
        }
    }
});

But it feels dirty doing it this way. Is there a better way of solving this problem?

lookingsideways · March 24, 2013, 3:41pm

Check out the ember-auth project at https://github.com/heartsentwined/ember-auth

It includes a customised route class that allows you to redirect unauthorised requests to the login page.

rytis · March 24, 2013, 3:56pm

Hi, I’m not familiar with coffeescript. But looking at this file https://github.com/heartsentwined/ember-auth/blob/master/src/routes/auth.coffee I feel like I’m doing a similar thing.

darthdeus · March 24, 2013, 5:51pm

You could just create a parent AuthenticatedRoute which would implement this behavior, and then all of your routes would just be defined as

App.HomeRoute = App.AuthenticatedRoute({ ... });

rytis · March 24, 2013, 7:39pm

Yep, that’s what I ended up doing. I will post a complete example here later on!

davidcalhoun · March 25, 2013, 6:13pm

Look forward to seeing your progress and example @rytis!

benburton · March 25, 2013, 7:40pm

I’ve done some basic auth in my Ember app here. The basic premise is to redirect to login on a 401 from the API. Also, if there’s a global authentication_token variable defined or stored in a cookie, sign all requests with it. Not sure if it’s the best approach (I’m not crazy about the jQuery ajax 401 manipulation), but it has been working pretty well.

ernesto_miguel · September 9, 2013, 5:15pm

I like the benburton way but I would also do it using authorization atributes on each request and a correct aproach when “request denied” comes from the server.

On server side you could use an ACL system or something else for each request, declaring resources and types of access (read, write, etc.).

Topic		Replies	Views
ESA: issues with redirection Routing	3	667	August 11, 2019
Specifying whether or not routes should check for authentication	5	3354	July 27, 2015
Simple Auth redirect Learning Team	6	3235	March 24, 2020
User's role and how to restrict access to routes (kind of ACL)	3	7493	November 30, 2013
Permissions access check for all routes	12	5521	December 19, 2013

Authorize to access routes

Related topics