@spacl/yaml
YAML parser and validator for SPACL policies.
Installation
npm install @spacl/yaml
Documentation
API documentation is available here.
Example
# example.yml
version: 1
policies:
# Create a policy describing a standard user who can
# view other user's profiles, and edit their own.
- name: user
rules:
- path: /user/+
allow:
- get
- path: /user/:name
allow:
- put
# Create a derived policy describing an admin user who
# can also create, edit and delete any user's profile,
# but for safety reasons, cannot delete themselves.
- name: admin
base: user
rules:
- path: /user/+
allow:
- put
- post
- delete
- path: /user/:name
deny:
- delete
import { parseFileSync } from '@spacl/yaml'
const policies = parseFileSync('example.yml')
const user = policies.get('user')
const admin = policies.get('admin')
/* Our hypothetical user, 'foo'. */
const ctx = {
name: 'foo'
}
/* So, what happens if 'foo' is granted 'user' rights? */
user.query('/user/foo', 'get', ctx) // true (explicitly allowed)
user.query('/user/foo', 'put', ctx) // true (explicitly allowed)
user.query('/user/foo', 'delete', ctx) // null (implicitly denied)
user.query('/user/bar', 'get', ctx) // true (explicitly allowed)
user.query('/user/bar', 'put', ctx) // null (implicitly denied)
user.query('/user/bar', 'delete', ctx) // null (implicitly denied)
/* Alternatively, what if 'foo' is granted 'admin' rights? */
admin.query('/user/foo', 'get', ctx) // true (explicitly allowed)
admin.query('/user/foo', 'put', ctx) // true (explicitly allowed)
admin.query('/user/foo', 'delete', ctx) // false (explicitly denied)
admin.query('/user/bar', 'get', ctx) // true (explicitly allowed)
admin.query('/user/bar', 'put', ctx) // true (explicitly allowed)
admin.query('/user/bar', 'delete', ctx) // true (explicitly allowed)