Table of Contents
Implementing granular user permissions is crucial for building secure and flexible Angular applications. By leveraging route guards such as CanLoad and CanActivate, developers can control access to different parts of their application based on user roles and permissions.
Understanding Route Guards in Angular
Angular provides several route guards that help manage navigation and access control. The most commonly used are CanActivate and CanLoad. While both are used to restrict access, they serve different purposes and are triggered at different stages of the routing process.
CanActivate
The CanActivate guard determines whether a route can be activated. It runs before the route is displayed, making it suitable for checking permissions and user authentication status. If the guard returns true, the route loads; if false, navigation is canceled or redirected.
CanLoad
The CanLoad guard controls whether a module should be loaded at all. It runs before the lazy-loaded module is fetched, preventing unnecessary loading of modules if the user lacks permissions. This is especially useful for large applications with multiple modules.
Implementing Granular Permissions
To implement granular permissions, you typically maintain a user roles and permissions service. This service provides methods to check if a user has specific rights, which are then used within your route guards.
Creating a Permissions Service
A permissions service centralizes permission logic. It might look like this:
import { Injectable } from '@angular/core';
@Injectable({
providedIn: 'root'
})
export class PermissionsService {
private userPermissions: string[] = [];
constructor() {
// Fetch user permissions from API or storage
this.userPermissions = ['read', 'write', 'admin'];
}
hasPermission(permission: string): boolean {
return this.userPermissions.includes(permission);
}
}
Implementing CanActivate Guard
The CanActivate guard uses the permissions service to decide access:
import { Injectable } from '@angular/core';
import { CanActivate, ActivatedRouteSnapshot, RouterStateSnapshot, Router } from '@angular/router';
import { PermissionsService } from './permissions.service';
@Injectable({
providedIn: 'root'
})
export class PermissionGuard implements CanActivate {
constructor(private permissionsService: PermissionsService, private router: Router) {}
canActivate(
route: ActivatedRouteSnapshot,
state: RouterStateSnapshot
): boolean {
const requiredPermission = route.data['permission'];
if (this.permissionsService.hasPermission(requiredPermission)) {
return true;
} else {
this.router.navigate(['/access-denied']);
return false;
}
}
}
Implementing CanLoad Guard
The CanLoad guard similarly checks permissions but at the module loading stage:
import { Injectable } from '@angular/core';
import { CanLoad, Route, UrlSegment, Router } from '@angular/router';
import { PermissionsService } from './permissions.service';
@Injectable({
providedIn: 'root'
})
export class ModulePermissionGuard implements CanLoad {
constructor(private permissionsService: PermissionsService, private router: Router) {}
canLoad(
route: Route,
segments: UrlSegment[]
): boolean {
const requiredPermission = route.data?.['permission'];
if (this.permissionsService.hasPermission(requiredPermission)) {
return true;
} else {
this.router.navigate(['/access-denied']);
return false;
}
}
}
Configuring Routes with Guards
Apply guards in your route configuration to enforce permissions:
const routes = [
{
path: 'admin',
loadChildren: () => import('./admin/admin.module').then(m => m.AdminModule),
canLoad: [ModulePermissionGuard],
data: { permission: 'admin' }
},
{
path: 'dashboard',
component: DashboardComponent,
canActivate: [PermissionGuard],
data: { permission: 'read' }
}
];
Best Practices for Permission Management
- Maintain a centralized permissions service for consistency.
- Use route data to specify required permissions for each route.
- Combine CanActivate and CanLoad guards for comprehensive security.
- Redirect unauthorized users to an access-denied page or login.
- Regularly update permissions based on user roles and application needs.
Implementing granular permissions with CanLoad and CanActivate enhances application security and user experience. Properly managing these guards ensures users only access appropriate sections, maintaining the integrity of your application.