v1.1.5Published 6 years ago

This package has not had recent updates. Please investigate it's current state before committing to using it in your project.

Protected and restricted routes within iron-router

Create protected and user-roles restricted routes within iron-router. For roles-restricted routes, please see meteor-roles, you need to install meteor-roles separately to use it.

This package supports protected option defined in list below, ordered by prioritization:

  • Router.route() [overrides all]
  • RouteController.extend()
  • Router.configure() [might be overridden by any above]


meteor add ostrio:iron-router-protected

Demo app


Router.configure, Router.route, and RouteController will use next properties:

  • protected {Boolean} - Make route explicitly protected for all unauthorized users
  • authTemplate {String} - Name of the template to render, when access is denied
  • authRoute {String} - Route where user will be redirected, when access is denied
  • allowedRoles {[String]} - Array of roles, which have access to route
  • allowedGroup {String} - Name of the role-group, which have access to route. Note: use only with allowedRoles property, if allowedRoles is not defined check by allowedGroup will be omitted
  • authCallback {Function} - This function will be triggered on each route, with current route-object as a context and two arguments:
    • error {Object|null} - Object with error and reason properties, if access is denied
      • error - 401 or 403. 401 when access denied as for unauthorized user (Unauthorized. Permission denied). 403 when access denied by role (Forbidden. Not enough rights).
    • isGranted {Boolean|null} - true if access is granted
    • return false to prevent further code execution and rendering
    • return true to continue default behavior

Note: Don't use authTemplate and authRoute at the same time. If authTemplate and authRoute is both presented - only authTemplate will be used and rendered.


Create config:

2  // Render login form
3  authTemplate: 'loginForm',
4  // Redirect to login form, by exact route or route-name
5  authRoute: '/admin/login',
6  // Deny access for unauthorized users on all routes
7  "protected": true,
8  // Restrict access by array of roles on all routes
9  allowedRoles: ['admin'],
10  // Restrict access by role and role-group. 
11  // Use only with `allowedRoles` property, otherwise check on group is omitted
12  allowedGroup: Roles.GLOBAL_GROUP,
13  // This callback triggered each time when access is granted or forbidden for user
14  authCallback: function(error, isGranted) {
15    return console.log(error, isGranted);
16  },
18  // Common options:
19  layoutTemplate: '_layout',
20  notFoundTemplate: '_404',
21  loadingTemplate: 'loading'

Create protected route:

1Router.route('admin', {
2  template: 'admin',
3  path: '/admin',
4  "protected": true, // Deny access for unauthorized users
5  allowedRoles: ['admin'] // Restrict access by role

Override default options:

1Router.route('admin', {
2  template: 'admin',
3  path: '/admin',
4  authTemplate: null, // Do not render
5  authRoute: '/admin/login', // Redirect to login form
6  "protected": true // Deny access for unauthorized users

If all routes is protected, give access to loginForm:

1Router.route('loginForm', {
2  template: 'loginForm',
3  path: '/admin/login',
4  "protected": false // Allow access to this route for anyone

Options can be defined on controllers:

1var LocationController = RouteController.extend({
2  "protected": true
5Router.route('locations', {
6  controller: LocationController // Will be protected

Options on routes will override controller options:

1Router.route('location', {
2  controller: 'LocationController',
3  "protected": false // Won't be protected