npm

Need private packages and team management tools?Check out npm Orgs. »

dpd-acl-roles-permissions

1.2.7 • Public • Published

Easily configure roles/permissions regarding methods and (nested) keyvalue-pairs for deployd

Build Status

Usage

$ npm install dpd-acl-roles-permissions dpd-event --save

Centralized configuration

  • Run deployd and go to your dashboard
  • Make sure you have a users-collection resource
  • Add a roles-property in there (array value: ["admin","staff","premium"]) and set username to 'admin'
  • Hit the green button, and add an 'event'-resource (name: /roles)
  • In the CONFIG.JSON-screen paste the json below

    { "my-endpoint": { "GET": "*", "POST": "admin,staff,premium", "PUT": "admin,staff,premium", "DELETE": "admin,staff,premium", "properties": { "email": { "GET": "admin,staff,premium", "POST": "admin,staff,premium", "PUT": "admin,staff,premium" } } } }

Done!

  • curl -X GET http://localhost/my-endpoint will now work (but hides 'email'-field for users without 'admin' or 'staff' or 'premium'-role )
  • curl -X POST http://localhost/my-endpoint will now only work for user with admin- or staff- or premium-roles

NOTE: feel free to play around with the config

Automatically filter results by owner

dpd-acl-roles-permissions has an integration for dpd-collection-systemfields. It allows you to easily setup endpoints which return owned-only results:

  • run npm install dpd-collection-systemfields --save

  • add at least the 'createdBy'-fields to all your collection-endpoints (see docs )

    { "my-endpoint": { "GET": "*", "POST": "admin,staff,premium", "PUT": "admin,staff,premium", "DELETE": "admin,staff,premium", "properties": { "createdBy": { "restrict": true, <--- add this to filter any mongodb query on current user "GET": "admin,staff,premium", "POST": "admin,staff,premium", "PUT": "admin,staff,premium" } } } }

Automatically filter results by group

We can 'abuse' roles to act as organisations- or groups too.

NOTE: this feature requires the dpd-collection-systemfields module mentioned above

Here's how to easily filter results based on roles (lets say 'staff'):

  • add a roles-array property in a collection-resource with value: ["staff"]
  • add a public-boolean property in there too

Now for non logged-in users:

  • curl -X GET http://localhost/my-endpoint returns zero-role and public records

Now for logged-in users:

  • curl -X GET http://localhost/my-endpoint returns zero-role, public, owned and records with matching roles
  • curl -X GET http://localhost/my-endpoint?account=1 returns only owned records and/or records with matching roles

Writing tests

Testing endpoints can be done using dpd-test:

var dpdTest = require('dpd-test')
var request = require('superagent')
var port = 3030

dpdTest.run({
  port: port, 
  user: {username:"foo", "password":"bar", roles:["user"]},    // specify user/role
  ready: function(dpd, done, sessionid ){

    request                                                    // do request as user foo
      .get('http://localhost:'+port+'/scraper')
      .set('Cookie', 'sid='+sessionid)
      .set('Content-Type',  'application/json')
      .set('Accept',  'application/json')
      .end(function(err,  res){
        console.dir(res.body)
        done()
      })

  }, 
  done: function(err, database){
    console.log("done") 
    process.exit( err ? 1 : 0 )
  } 
})

Features

  • restrict methods (POST/GET/PUT/DELETE method)
  • restrict (nested) key-permissions in incoming payloads (or outgoing results)
  • no need to use hide() and protect() all over the place
  • TODO: more tests

install

npm i dpd-acl-roles-permissions

Downloadsweekly downloads

37

version

1.2.7

license

ISC

homepage

github.com

repository

Gitgithub

last publish

collaborators

  • avatar
Report a vulnerability