Ready to take your JavaScript development to the next level? Meet npm Enterprise - the ultimate in enterprise JavaScript.Learn more »


0.0.4 • Public • Published

Taichi Access

Taichi Access is a simple nodejs access control module which is following *nix system style.

License: This project is under GPL/BSD

Simple Tutorial

If you have a blog system, you may have several users, for example: admin and blogger, and also those who read your blogs -- visiters. They are exactly roles for grouping users. Let's define them in json format:

var admin = {id:1, name:'yarco', roles:['admin']};
var blogger = {id:2, name:'a dog', roles:['blog']};
var visiter = {id:0, name:'anonymous', roles:['guest']};

Now we have three guys (or maybe two guys with a dog). yarco(me) is an admin, 'a dog' is a blogger and visiter is just a visiter.
We don't care about how/where those data comes from. In our access control system, id and roles are both required.
notice: the key id is configured by, you will see it below

Let's go on defining our resource -- the blog, it should be an article with a type:

var resource = {id:1000, type:'blog', title:'i\'m a good dog', owner: {id:2}};

See, blogger dog wrote his first article. Let's say he is the owner of the article.
In normal case, a resource will also have two fields: type and owner.
notice: user table and system table are in not this case.

Finally, we need to define our permission rules.

var rules = [
    {id:1, type:'blog', permissions:{everyone:'read'}}

Now, we could use our Taichi Access module to check the permission on those guys: = 'id'; // this indicate the keyword is 'id', if you are using something like {_id:1}, then it should be _id. default value is '_id', so in this case, you dont have to include this line

// set rules

// check user
access.checkUser('delete', admin, resource); // true, cause admin has delete rights 
access.checkUser('delete', blogger, resource); // true, cause blogger is the owner of the resource
access.checkUser('write', visiter, resource); // false, cause visiter don't have rights to write blog
access.checkUser('read', visiter, resource); // true, cause everyone = read is set in permissions in access rules

// or you could also set user first, then do check
access.user = visiter;
access.check('delete', resource); 
access.check('read', resource);


  • we make role name equal to resource type to make things simple, though they are really different things.
  • roles "admin", "user" and "guest" are all reserved, they have their internal meanings.
  • there are several types of resource: normal resource, system resource and user table. normal resource should have fields "type" and "owner"; system resource don't have those two fields; user table is special resource, has type "users".
  • if you didn't set rule on some resource for some role: for an admin, he could delete/write/read the resource; for those whose role equals to the resource type have write/read permission; and for a guest, he can't access that resource except you set a rule for "everyone"; for a user with "user" role, he always can read the resource.
  • system resource can only be managed by "admin" and also readable to all
  • You could only set one rule for one resource type
  • "admin" role default has full permission on everything
  • "user" role default has read permission on everything
  • set a rule on some resource {type:'xxxx', permissions:{everyone:'read'}} could make the resource public read to everyone

How to install

Like other module in nodejs, just do:

npm install taichi-access


  • Attributes
    • id -- set/get the keyword name
    • user -- set/get the user you want to check
    • rules -- get rules
  • Methods
    • setRules(rules) -- set access rules
    • check(permission, resource) -- check permission on some resource
    • checkUser(permission, user, resource) -- check permission on some resource for someone
    • http2perm(method) -- utility function, map http method to permission


  • 0.0.2 - 0.0.3
    • add check on system resource type (if a resource doest set a type field, the resource will have system type which is readable to everyone and writable only to admin)
    • remove extra methods for set default user/resource, add mapping http method to permission utility function
  • 0.0.1 - 0.0.2
    • modern js style
    • use setRules(xxx) replace obj.rules=xxx


You could contact me through for this extension. Or for programming related things, whatever.

This guy currently works in So you could also get him by

All rights reserved.




npm i taichi-access

Downloadsweekly downloads









last publish


  • avatar
Report a vulnerability