Geek Answers Handbook

How to restrict the route administrator in Meteor?

as an iOS developer in the first place, I am very new to webdev. I look at Meteor and ask some questions regarding routing - my apologies if they are very light.

I use the Meteor Router package to create routes, but I would like some pages to be accessible only to the admin user.

Meteor.Router.add({ '/' : 'home', '/admin' : 'admin' });

So, I have a simple route setup as above, but I'm not sure how to restrict access to the / admin route.

Is it as simple as something like this? What would be a good way to limit the route to the / admin page and show a warning, or perhaps even redirect them back to the / page?

Thanks!

client.html

 <head> <title>My App</title> </head> <body> {{renderPage}} </body> <template name="home"> {{greeting}} </template> <template name="admin"> {{greeting}} </template>

client.js

 Template.admin.greeting = function () { var currentUser = Meteor.user(); if (null !== currentUser && 'admin' === currentUser.username) { return "Hello Admin!"; } else{ return "Sorry, only admins can see this page"; } };
+8
meteor
source share
4 answers

The best way to restrict access to the route is with the router itself (instead of redirecting the problem to your controller). You have several options in how you do this:

Routing function

You can make the /admin route look like:

 '/admin': function() { return { as: 'admin', to: function() { if (Meteor.user() && Meteor.user().username === 'admin') { return 'admin'; } else { return 'unauthorized'; } } }; }

I assume you have an unauthorized template that displays a 403 page or something informative.

Filter

Alternatively, you can leave your original /admin route as it is and add a filter:

 Meteor.Router.filters({ 'needsAdmin': function(page) { if (Meteor.user() && Meteor.user().username === 'admin') { return page; } else { return 'unauthorized'; } } });

and use it like this:

 Meteor.Router.filter('needsAdmin', {only: 'admin'});

Personally, I like the filter option because it is reusable and it is a little more obvious what is happening.

+8
source share

Another solution is to use the Roles package and make sure that the user has the "admin" role before serving data.

 $ mrt add roles

Then you can check the roles, for example, using the syntax:

 if(!Roles.userIsInRole(Meteor.user(), ['admin'])) { // Redirect... }

Roles are integrated with the Meteor account system and work great with most account packages.

If you want to manage accounts (create / delete roles and add / remove roles from this user), I created the Accounts Admin UI package. README has a quick start and some notes on how to integrate this with other routing packages.

 $ mrt add accounts-admin-ui-bootstrap-3
+2
source share

Use the and parameter:

 Meteor.Router.add({ '/admin': { to: 'admin', and: function() { if (!Meteor.user() || Meteor.user().name != 'admin'){ Meteor.Router.to('/'); } }} });
+1
source share

Everyone here elaborated on how to protect the admin panel at the router level. Another possibility is to skip the router all together. I recently did this with Meteor Candy , an administration package for Meteor.

The idea is that you could create a Reactive-Dict to store the state of the admin interface. If you put it in a package, you can make sure that it never comes across your application code. And with the new Dynamic Imports feature, you can practically disconnect it from the client until it is needed.

Here's how it might work:

 <template name="adminPanel"> {{#if show}} {{> adminPanelUI}} {{/if}} </template> AdminUI = new ReactiveDict(); Meteor.defer(function () { Blaze.render(Template.MeteorCandy, document.body); }); Template.adminPanel.helpers({ show: function () { if (AdminUI.get('show')) { return true; } } })

In addition, all you need to do is define a case that sets the "show" value to true-y.

0
source share

More articles:


All Articles