UNPKG

@geexbox/accesscontrol

Version:

Subject and Attribute based Access Control for Node.js

github.com/microex/accesscontrol

microex/accesscontrol

147 lines (146 loc) 5.42 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); var utils_1 = require("../utils"); /** * Represents the inner `Permission` class that defines the granted or denied * access permissions for the target resource and subject. * * You can check for a permission in two ways: * * <ul> * <li> * You can first obtain a {@link ?api=ac#AccessControl~Query|`Query` instance} * via {@link ?api=ac#AccessControl#can|`AccessControl#can`} which returns * a `Permission` instance when an action method such as * {@link ?api=ac#AccessControl~Query#createAny|`.createAny()`} is * called. * <p><pre><code> var permission = ac.can('user').createAny('video'); * console.log(permission.granted); // boolean</code></pre></p> * </li> * <li> * Or you can call {@link ?api=ac#AccessControl#permission|`AccessControl#permission`} * by passing a fulfilled {@link ?api=ac#AccessControl#IQueryInfo|`IQueryInfo` object}. * <p><pre><code> var permission = ac.permission({ * subject: 'user', * resource: 'video', * action: 'create', * possession: 'any' * }); * console.log(permission.granted); // boolean</code></pre></p> * </li> * </ul> * * @class * @inner * @memberof AccessControl */ var Permission = /** @class */ (function () { /** * Initializes a new `Permission` instance. * @private * * @param {IQueryInfo} query * An `IQueryInfo` arbitrary object. */ function Permission(grants, query) { /** * @private */ this._ = {}; // set attributes first. this also validates the `query` object. this._.attributes = utils_1.utils.getUnionAttrsOfRoles(grants, query); this._.subject = query.subject; this._.resource = query.resource; } Object.defineProperty(Permission.prototype, "subjects", { /** * Specifies the subjects for which the permission is queried for. * Even if the permission is queried for a single subject, this will still * return an array. * * If the returned array has multiple subjects, this does not necessarily mean * that the queried permission is granted or denied for each and all subjects. * Note that when a permission is queried for multiple subjects, attributes * are unioned (merged) for all given subjects. This means "at least one of * these subjects" have the permission for this action and resource attribute. * * @name AccessControl~Permission#subjects * @type {Array<String>} * @readonly */ get: function () { return this._.subject; }, enumerable: true, configurable: true }); Object.defineProperty(Permission.prototype, "resource", { /** * Specifies the target resource for which the permission is queried for. * * @name AccessControl~Permission#resource * @type {String} * @readonly */ get: function () { return this._.resource; }, enumerable: true, configurable: true }); Object.defineProperty(Permission.prototype, "attributes", { /** * Gets an array of allowed attributes which are defined via * Glob notation. If access is not granted, this will be an empty array. * * Note that when a permission is queried for multiple subjects, attributes * are unioned (merged) for all given subjects. This means "at least one of * these subjects" have the permission for this action and resource attribute. * * @name AccessControl~Permission#attributes * @type {Array<String>} * @readonly */ get: function () { return this._.attributes; }, enumerable: true, configurable: true }); Object.defineProperty(Permission.prototype, "granted", { /** * Specifies whether the permission is granted. If `true`, this means at * least one attribute of the target resource is allowed. * * @name AccessControl~Permission#granted * @type {Boolean} * @readonly */ get: function () { if (!this.attributes || this.attributes.length === 0) return false; // just one non-negated attribute is enough. return this.attributes.some(function (attr) { return attr.trim().slice(0, 1) !== '!'; }); }, enumerable: true, configurable: true }); /** * Filters the given data object (or array of objects) by the permission * attributes and returns this data with allowed attributes. * * @param {Object|Array} data * Data object to be filtered. Either a single object or array * of objects. * * @returns {Object|Array} * The filtered data object. */ Permission.prototype.filter = function (data) { return utils_1.utils.filterAll(data, this.attributes); }; return Permission; }()); exports.Permission = Permission;