How to use this with database backend? about accesscontrol HOT 3 CLOSED

I'm not very sure of your scenario but I'll break it down a bit...

How to use this with a mysql backed application ...

AccessControl.js is not coupled with any kind of database system. Actually it's unrelated. It only grants or denies access to a resource. The rest depends on your application's logic and decisions you (the developer) make. Read the rest @ AccessControl.js F.A.Q.. Question "Can I use AccessControl.js with a database? How?" has a detailed scenario example.

... where I have different resource group and within that I have resources that needs to have access control.

If you need to control access to it; a resource group is another resource. e.g. apple vs apple-of-april vs red-apple, etc.. In other words; if your application requires that; part of a resource should have distinguished access; you should define that as another unique resource.

... For example, I have folders and within the folder files...

Depending on your application context; what do you consider a resource here?
file? folder? both? or file-of-folder-x?

... Users can have access to folders with different roles - user, admin, owner...

Why do you have a role named owner?
Isn't the owner of a resource, still a user or admin?

More importantly, you should care about the semantics. The role owner itself does not imply anything. Role user is clearly the user of the application. admin is administrator of the application/data. owner is the owner of ... ?

💡 Tip: AccessControl implements action attributes which allows authorization by possession of a resource (own or any). So, (within your app-logic) check whether a resource is owned by the requesting user. Then authorize the action (for example "read") via; ac.can(<role>).readOwn(<resource>). Otherwise if not own resource, check with ac.can(<role>).readAny(<resource>). See this thread for more.

... where user could view files in the folder, admin could do view, edit, create & owner can do all...

var ac = new AccessControl();
// grant permissions for roles user and admin, on resource "file"...
ac.grant('user')
    .readAny('file')
    .createOwn('file')
    .updateOwn('file')
    .deleteOwn('file')
  .grant('admin')
    .readAny('file')
    .createAny('file')
    .updateAny('file')
    .deleteAny('file');

... Within a single file a user role can have more privileges granted...

I'm not sure what you mean by "privileges" here. That's an ambiguous term. For example, the right to C/R/U/D a file can be considered as 4 different privileges.

The example above does not define any resource attributes which defaults to all attributes. e.g. .updateAny('file', ['*']). You could define/restrict attributes such as .updateAny('file', ['*', '!id', '!userId']) which would translate to "update any file with all attributes except the id of the file and the userId which the file is assigned to."

... Anyone can create a new folder (owner) ...

ac.grant(['admin', 'user']).createOwn('folder');

.. and assign permissions...

You shouldn't confuse access permissions and the "permissions" of your app context. Here, it seems you're talking about resource (folder) related permissions; which could be another resource itself.

ac.grant(role).createOwn('folder-permissions');

In this example, it implies: user of this role can create folder-permissions resource for their own (related) folder resource. So before checking whether access is granted, you should make sure the implied resource (folder) is actually owned by the requesting user.

from accesscontrol.

OKay thanks! I missed the FAQ which explains lot of the concepts. I'll go through again and ask i I might have questions.

from accesscontrol.

No problem.
FAQ is added recently. I'll improve it more from the questions I receive.

Pls continue this thread if you need.

from accesscontrol.