I'm starting on AngularJS and I'd like to show this code that is accessing a route parameter's property.. Is it safe/best practice to do it this way?
angular.module('messagecat', []).
config(['$routeProvider', function($routeProvider) {
$routeProvider.
when('/messages', {templateUrl: '/bundles/acmestore/js/partials/messages-list.html', controller: MessagesListCtrl}).
when('/messages/:messageId', {templateUrl: '/bundles/acmestore/js/partials/message-detail.html', controller: MessageDetailCtrl}).
otherwise({redirectTo: '/messages'});
}]);
/*controller*/
function MessagesListCtrl($scope, $http) {
$http.get('/messages').success(function(data) {
$scope.messages = data;
});
}
/* Does this following bit seem reasonable to you?*/
function MessageDetailCtrl($scope, $routeParams, $http) {
$http.get('/messages').success(function(data) {
$scope.messages = data[$routeParams.messageId];
//console.log($scope.messages);
});
}
the json model:
[
{
"id": 1,
"iam": 1,
"youare": 2,
"lat": 50.8275853,
"lng": 4.3809764,
"msgbody": "Lorem ipsum lorem ipsum lorem ipsum"
}
]
You cannot trust anything you have delivered to the client since it's all accessible to the user, after all, they can just press f12 to bring up the same development tools. In the end you have to focus on the Web API the data is being sent from. It has to be secure (the user must be authenticated and authorized for each operation) and validate everything sent to it thoroughly... Put another way, code the Web API as though it's being called from anywhere!