我想和你（社区）我的问题。

I want to share with you (community) my problem.

我用 MEAN 栈，所以我用 Node.js的与防爆preSS 和 AngularJS ，我已经烧毛App应用程序。

I use MEAN stack, so I use Node.js with Express and AngularJS and I have singe app application.

我用护照作为身份验证策略节点\\防爆preSS \\玉 code 。我想我的网页上创建管理部分来管理用户和他人的东西。

I use passport as an authentication strategy in Node \ Express \ Jade code. I want to create admin section on my page to manage users and others stuff.

我也想保护这个AngularJS网站添加一些访问控制，以我的$ routeProvider像异步加载：

I want also protect this AngularJS sites loaded asynchronously by adding some access control to my $routeProvider like:

$routeProvider.when('/admin/users', {
    templateUrl: '/views/admin/users.html',
    auth: {
        required: true,
        roles: ['admin']
    }
})

这是唯一的伪code，我想在我的真正的解决方案才达到。如果用户没有登录，应该重定向到 /登入网​​页，如果用户登录并没有正确的角色来查看此网页，应重定向到appropiate查看与自定义信息。

This is only pseudocode which I want to achive in my real solution. If user is not logged in, should be redirect to /signin page, and if user is logged in and does not have proper role to view this page, should be redirect to appropiate view with custom information.

推荐答案

我preFER在服务器端处理访问控制，而只是没有提供什么由用户如果他/她应该不能够访问它。然后，我场和跨preT从服务器到不喜欢的东西重新路由到一个登录表单的响应。

I prefer to handle access control on the server side, and just not serve anything up to the user if s/he shouldn't be able to access it. Then I field and interpret the response from the server to do things like rerouting to a sign-in form.

这使得真正灵活的安全机制。例如，我可以配置我的东西防火墙后端安全，就像你描述的（这里的路线/ admin的所有它的后代应该保护）。我可以使用ACL来保护单个对象或的SecurityManager ，允许发出请求的用户更复杂的分析。

This allows for really flexible security mechanisms. For example, I can configure my backend security with a firewall for something like you've described (where a route "/admin" and all of its descendants should be protected). I can use ACLs to secure individual objects, or a SecurityManager that allows for more complex analyses of the user making the request.

也许这是不是直接回答你的问题，而是鼓励不同的方法处理这个问题。尽管如此，我认为这是比任何东西，我在纯JS访问控制方面已经看到了更好的方法。

Maybe this isn't a direct answer to your question, but instead encouragement to approach the problem differently. Still I think it's a better approach than anything that I've seen in terms of pure JS access control.