Mauro Bilotti Mauro Bilotti - 1 month ago 17
AngularJS Question

Is there any known issues including AngularJs into a Kentico module?

I'm currently working in a Kentico 9 project where is needed expose an admin backend to configure an external site into the CMS.
I saw that is possible to create a new module that can be restricted for certain users and where you can develop your own .aspx pages.
Since we all know that ASP.NET Webforms is today an old technology and being that the most of my team has a very good expertise in AngularJs, I though that it could be interesting to include that technology on this module.

First I created the module and I referenced to the Index.html (entry point)

enter image description here

Then I have created the whole bunch of files needed to this proof of concept with Angular this way:



As you can see, is a new folder not related with the CMS files, but into the same site.
The final result, looks like this:
enter image description here

This seems pretty straight forward for me. I was trying to find any "warning" that could exist with this approach, but I could find anything (the Kentico documentation on this topics is a bit poor).
However, I saw that Kentico renders my html page from CMSAdministrator.aspx which involves security check and all that the CMS provides, so it seems to be safe. You can see it on the URL:
enter image description here

So, is there any concerns with exposed approach?
Thanks in advance.

Enn Enn
Answer

If my assumption is correct your ~/Backend/index.html is also available directly. So if someone would go to http://yoursite.com/backend/index.html they will be able to see your page.

The only ways I believe you can make sure this doesn't happen is to have a validation on the server side (which is easy to do with web forms, but you could as well use controllers in MVC) or configure web.config so that your Backend section is restricted to only certain users/roles. Something like this might help you with that:

<location path="x/a.txt">
  <system.web>
    <authorization>
      <deny users="*"/>
    </authorization>
  </system.web>
</location>