Comments (5)
@onury alright, thanks for quick replies.
from accesscontrol.
Sure.
Scenario: Role "user" can read any photo resource but update own photos only.
Example:
Define Access Permissions
var ac = new AccessControl();
ac.grant('user')
.readAny('photo', ['*', '!id'])
.updateOwn('photo', ['*', '!id']);
Note that the user can only update own photo resource but cannot alter the id
of the photo
resource, even if its own photo.
Define App Routes
For an express.js app, we'll define 2 routes for the photo
resource.
1. Any-photo route: GET /photos/:id
router.get('/photos/:id', function (req, res, next) {
var permission = ac.can(req.user.role).readAny('photo');
if (permission.granted) {
Photo.find({ id: req.params.id }, function (err, data) {
if (err || !data) return res.status(404).end();
// filter data by permission attributes and send.
res.json(permission.filter(data)); // .id is filtered out
});
} else {
// resource is forbidden for this user/role
res.status(403).end();
}
});
2. Own-photo route: PUT /users/:username/photos/:id
router.put('/users/:username/photos/:id', function (req, res, next) {
var role = req.user.role;
// check if the request is for own photos or any
var permission = (req.user.name === req.params.username)
? ac.can(role).updateOwn('photo')
: ac.can(role).updateAny('photo');
if (permission.granted) {
// we filter the posted request body so that only
// allowed attributes are used to update the resource.
var sanitizedData = permission.filter(req.body); // .id is filtered out
Photo.update(req.params, sanitizedData, function (err, result) {
// either send 404 if not found or 5xx if a server/database error
if (err || !result) return res.status(404).end();
res.json(result);
});
} else {
res.status(403).end(); // forbidden
}
});
Hope this makes it clear for you.
from accesscontrol.
I believe for this you have to include :username
in route.
what if I do not have any :username
in route? for example PUT /photos/:id
from accesscontrol.
That's a design decision. I gave you just one scenario. What you're asking is a question for REST API design.
AccessControl only tells you whether a specific role is authorized to access own/any resource(s). It has no information (or goal) to check whether the actual resource (the record) is owned by a specific, actual user.
It only checks if an action is allowed on "own" (or "any") resource. This is by definition.
The route /photos/:id
has no claim of a resource owner (implicit role) in the query params (and probably none in req body). So your middleware should get the original resource owner itself and determine whether this is a request for an own
resource. If so, AC can check whether that role can actually preform that action on own
resource.
In other words,
- identifying whether an actual request is for an owned resource
- checking whether a role can perform some action on own resource(s)
are two different things.
from accesscontrol.
updateOwn it should throw an error if req. body consists of inaccessible attributes .
@onury
from accesscontrol.
Related Issues (20)
- How to restrict access to certain part of the page HOT 1
- I would like to become a maintainer of this repo HOT 8
- grant permissions for every resources ? HOT 1
- please ignore - opened by mistake
- Filter array data
- support for deno
- Custom Possession HOT 1
- Cannot inherit non-existent role when using grants in object
- AccessControl() constructor does not support list of grant objects comes from Mongodb using mongoose
- Why we need to filter out the req.body in updateOwn
- Control system
- Multicontextual permissions HOT 1
- Make Action and Possession actual enums.
- Ignore undefined roles if one of them enough access HOT 3
- Filter creates anwanted fields HOT 4
- Allow `number` as valid type of role
- Distributed Grant File HOT 1
- Consider upgrading Notation to latest version 2.0 HOT 5
- Is this repo abandoned? HOT 3
- Rules support? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from accesscontrol.