Protection of information in applications and systems has become increasingly important as a result of the rapid development and widespread deployment of computer systems in our daily life. The most common protection measures used in computer systems are:
- Prevention – applied to prevent information from unauthorized access, theft or damage.
- Detection – refers to discovery when information has been damaged, how it has been damaged, and who has caused the damage.
- Recovery – allows restoring the information that has been damaged or assessing and repairing any damage to the information.
Due to the fact that any browser-based code and session can be always compromised, we should never rely solely on front-end security and always combine it with much stricter back-end policies. So front-end security policies can be treated only as an additional layer of prevention mechanisms. In the classical security context, prevention usually attempts to achieve three security goals: confidentiality, integrity, and availability.
- Confidentiality – applied to prevent unauthorized disclosure of information.
- Integrity – prevents unauthorized modification of information,
- Availability – unauthorized withholding of information.
Having that in mind, we can help enforce availability in the browser and we can also provide a basis confidentiality and integrity by implementing one of the multiple access control patterns. So, generally speaking, access control in browsers is concerned with limiting users’ access to protected resources.
At first, it is required to include in one of your modules – probably top-most – dependency to permission module:
angular.module('app', [..., 'permission']);
Setting up permissions
The permission library in order to set permissions requires two values to be provided: permission name and validation function, where the first one is used to represent the identification name of the permission and the second one is used when checking if a set identifier is still valid. Validation can be checked either browser-side or server-side.
Locally validated permissions
So, let’s create a simple local (browser-side) permission: