Comments (3)
I'm not very sure of your scenario but I'll break it down a bit...
How to use this with a mysql backed application ...
AccessControl.js is not coupled with any kind of database system. Actually it's unrelated. It only grants or denies access to a resource. The rest depends on your application's logic and decisions you (the developer) make. Read the rest @ AccessControl.js F.A.Q.. Question "Can I use AccessControl.js with a database? How?" has a detailed scenario example.
... where I have different resource group and within that I have resources that needs to have access control.
If you need to control access to it; a resource group is another resource. e.g. apple
vs apple-of-april
vs red-apple
, etc.. In other words; if your application requires that; part of a resource should have distinguished access; you should define that as another unique resource.
... For example, I have folders and within the folder files...
Depending on your application context; what do you consider a resource here?
file
? folder
? both? or file-of-folder-x
?
... Users can have access to folders with different roles - user, admin, owner...
Why do you have a role named owner
?
Isn't the owner of a resource, still a user or admin?
More importantly, you should care about the semantics. The role owner
itself does not imply anything. Role user
is clearly the user of the application. admin
is administrator of the application/data. owner
is the owner of ... ?
💡 Tip: AccessControl implements action attributes which allows authorization by possession of a resource (own or any). So, (within your app-logic) check whether a resource is owned by the requesting user. Then authorize the action (for example "read") via; ac.can(<role>).readOwn(<resource>)
. Otherwise if not own resource, check with ac.can(<role>).readAny(<resource>)
. See this thread for more.
... where user could view files in the folder, admin could do view, edit, create & owner can do all...
var ac = new AccessControl();
// grant permissions for roles user and admin, on resource "file"...
ac.grant('user')
.readAny('file')
.createOwn('file')
.updateOwn('file')
.deleteOwn('file')
.grant('admin')
.readAny('file')
.createAny('file')
.updateAny('file')
.deleteAny('file');
... Within a single file a user role can have more privileges granted...
I'm not sure what you mean by "privileges" here. That's an ambiguous term. For example, the right to C/R/U/D a file can be considered as 4 different privileges.
The example above does not define any resource attributes which defaults to all attributes. e.g. .updateAny('file', ['*'])
. You could define/restrict attributes such as .updateAny('file', ['*', '!id', '!userId'])
which would translate to "update any file with all attributes except the id
of the file and the userId
which the file is assigned to."
... Anyone can create a new folder (owner) ...
ac.grant(['admin', 'user']).createOwn('folder');
.. and assign permissions...
You shouldn't confuse access permissions and the "permissions" of your app context. Here, it seems you're talking about resource (folder) related permissions; which could be another resource itself.
ac.grant(role).createOwn('folder-permissions');
In this example, it implies: user of this role can create folder-permissions resource for their own (related) folder resource. So before checking whether access is granted, you should make sure the implied resource (folder
) is actually owned by the requesting user.
from accesscontrol.
OKay thanks! I missed the FAQ which explains lot of the concepts. I'll go through again and ask i I might have questions.
from accesscontrol.
No problem.
FAQ is added recently. I'll improve it more from the questions I receive.
Pls continue this thread if you need.
from accesscontrol.
Related Issues (20)
- How to restrict access to certain part of the page HOT 1
- I would like to become a maintainer of this repo HOT 8
- grant permissions for every resources ? HOT 1
- please ignore - opened by mistake
- Filter array data
- support for deno
- Custom Possession HOT 1
- Cannot inherit non-existent role when using grants in object
- AccessControl() constructor does not support list of grant objects comes from Mongodb using mongoose
- Why we need to filter out the req.body in updateOwn
- Control system
- Multicontextual permissions HOT 1
- Make Action and Possession actual enums.
- Ignore undefined roles if one of them enough access HOT 3
- Filter creates anwanted fields HOT 4
- Allow `number` as valid type of role
- Distributed Grant File HOT 1
- Consider upgrading Notation to latest version 2.0 HOT 5
- Is this repo abandoned? HOT 3
- Rules support? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from accesscontrol.