This is due to the fact you are returning a Promise<boolean> instead of just a boolean. If you were to just return a boolean it wouldn’t check the RoleGuard. I would guess this is either a bug in angular2 or an expected result of async requests.
You can however resolve this with your example by only using RoleGuard for urls where a certain Role is required, because I guess you need to be logged in to have a role. In that case you can change your RoleGuard to this:
@Injectable()
export class RoleGuard implements CanActivate {
constructor(private _authGuard: AuthGuard) {}
canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): Promise<boolean> {
return this._authGuard.canActivate(route, state).then((auth: boolean) => {
if(!auth) {
return false;
}
//... your role guard check code goes here
});
}
}
Update
In the latest Angular version (currently v8.x) – Even if both Guard will return false – they will still be both executed. (behavior was aligned between different return values)