Wondering what’s next for npm?Check out our public roadmap! »

    sails-hook-user-acl

    0.1.4 • Public • Published

    sails-hook-user-acl

    Hook to manage basic user ACL. You can secure all routes (config/routes.js or rest url), define some rules to test it in your own code and secure some assets (js, css, pdf...).

    Installation

    npm install sails-hook-user-acl
    

    Don't use sudo or config/acl.js will be create as root user and not editable

    Configure

    Create or modify config/acl.js :

    module.exports.acl = {
        //Current user role access, default in session.role
        "currentRole"   : "session.role",
        "roles"         : ["user", "admin"],//Default roles in application
        "defaultPolicy" : "allow",//Default policy allow or deny, if no acl was define for a route or rule this is the default behavior
        "defaultRole"   : "user",//Default role when user is not logged at all
        "onForbidden"   : function (req, res)
        {
            if (req.wantsJSON)
            {
                res.status(403).json();
            }
            else
            {
                res.forbidden();
            }
            console.log("forbidden");
        },
        "rules"         : {//Custom ACL rules if you want to check access under controller / services
            "saveFile" : {//For example you can call sails.hook.acl.isAllow("admin", "saveFile")
                "roles" : ["admin"]
            }
        },
        "routes"        : //Additional route that are not under config/routes, can be used to protect assets files, but also rest url
        {
            /* Examples
             "GET /user" : {
             "roles" : ["user", "admin"]
             },
             "GET /user/:id" : {
             "roles" : ["user", "admin"]
             },
             "POST /user" : {
             "roles" : ["admin"]
             },
             "PUT /user/:id" : {
             "roles" : ["admin"]
             },
             "DELETE /user/:id" : {
             "roles" : ["admin"]
             },
             "/js/admin.js"    : {
             "roles" : ["admin"]
             }
             */
        }
    };
    

    You can also configure ACL for basic routes under config/routes.js :

    '/' : {
       view       : 'homepage' //Accessible to anyone
    },
    '/office' : {
       controller : 'OfficeController',
       action     : "home",
       roles      : ["admin"]//Accessible only for admin
    }
    

    Usage

    Create a user model the way you want to, for example :

    module.exports = {
      attributes   : {
        name      : 'string',
        role      : {
          type     : "string",
          required : true,
          enum     : ['user', 'admin'] // or sails.config.acl.roles
        }
      }
    };
    

    When your user is logged put the user role in session (and don't forget to remove it on log out) and don't forget to set currentRole under config/acl.js :

    session.role = user.role;
    

    Now all it's automatic for all routes you have configure under config/routes.

    But if you want to use/check ACL manually (rules under config/acl.js), just do :

    sails.hook.acl.isAllow(ROLE, RESOURCE)
    

    Example under a controller :

    myControllerFunction : function (req, res)
    {
        User.findOneById(req.param("id")).exec(function(err, user)
        {
            if(err)
            {
                console.log("Error");
            }
            else
            {   
                //Here is the ACL verification !
                 if(sails.hook.acl.isAllow(user.role, "saveFile"))
                 {
                    //Upload file user is allowed
                 }
                 else
                 {
                    res.forbidden();
                 }
            }
        });
       
    }
    

    Install

    npm i sails-hook-user-acl

    DownloadsWeekly Downloads

    22

    Version

    0.1.4

    License

    none

    Last publish

    Collaborators

    • avatar