Comments (3)
onury
commented on June 2, 2024
3
@isikhi, thanks. Let me put it this way: the quoted comment suggests an opinionated system. They prefer to "ignore". Other systems are more strict when it comes to security aspects. They would not tolerate misspellings or enable no-role users.
So I think, it'd be best to make this configurable in AC constructor.
Sounds good?
from accesscontrol.
onury
commented on June 2, 2024
I'm not sure I get what you mean but when a given role is invalid (does not exist), AccessControl should definitely throw because this is most probably due to invalid configuration. And since this is security related, AC takes it seriously and throws.
From the linked threads, I can only agree with the case where no roles are defined, AC can simply deny access instead of throwing for empty array of roles. (That can also be suppressed by assigning a "guest" role for non-privileged users.)
from accesscontrol.
isikhi
commented on June 2, 2024
I ll quote an comment here directly;
Actually you could have the permission in the db or in memory with RB. The idea is that if you remove or suspend certain global permission or an action from your RB, you would not need to update all users affected, as the permission does not exist in memory, everything continues to work correctly.
Otherwise, as is happening right now, if any existing permission in the User that does not exist in the RB memory, either because it is misspelled or simply does not exist, the application throws an error. Ignore is better!
quoted from @ruslanguns
Rb=role builder
Edit: Thanks for your interest and this great library.
from accesscontrol.
Related Issues (20)
- How to restrict access to certain part of the page HOT 1
- I would like to become a maintainer of this repo HOT 8
- grant permissions for every resources ? HOT 1
- please ignore - opened by mistake
- Filter array data
- support for deno
- Custom Possession HOT 1
- Cannot inherit non-existent role when using grants in object
- AccessControl() constructor does not support list of grant objects comes from Mongodb using mongoose
- Why we need to filter out the req.body in updateOwn
- Control system
- Multicontextual permissions HOT 1
- Make Action and Possession actual enums.
- Filter creates anwanted fields HOT 4
- Allow `number` as valid type of role
- Distributed Grant File HOT 1
- Consider upgrading Notation to latest version 2.0 HOT 5
- Is this repo abandoned? HOT 3
- Rules support? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from accesscontrol.