UNPKG

@inspire-platform/sails-hook-permissions

Version:

Comprehensive user permissions and entitlements system for sails.js and Waterline. Supports user authentication with passport.js, role-based permissioning, object ownership, and row-level security.

github.com/conceptainc/sails-hook-permissions

conceptainc/sails-hook-permissions

111 lines (91 loc) 2.94 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
/** * @module Permission * * @description * The actions a Role is granted on a particular Model and its attributes */ 'use strict'; function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { 'default': obj }; } var _lodash = require('lodash'); var _lodash2 = _interopRequireDefault(_lodash); module.exports = { autoCreatedBy: false, description: ['Defines a particular `action` that a `Role` can perform on a `Model`.', 'A `User` can perform an `action` on a `Model` by having a `Role` which', 'grants the necessary `Permission`.'].join(' '), attributes: { id: { type: 'number', autoIncrement: true }, /** * The Model that this Permission applies to. */ model: { model: 'Model', required: true }, action: { type: 'string', required: true, /** * TODO remove enum and support permissions based on all controller * actions, including custom ones */ isIn: ['create', 'read', 'update', 'delete'] }, relation: { type: 'string', isIn: ['role', 'owner', 'user'], defaultsTo: 'role' }, /** * The Role to which this Permission grants create, read, update, and/or * delete privileges. */ role: { model: 'Role' }, // Validate manually //required: true /** * The User to which this Permission grants create, read, update, and/or * delete privileges. */ user: { model: 'User' // Validate manually }, /** * A list of object filters. Object ids are compiled into a where clause and forwarded to * the criteria policy. */ objectFilters: { collection: 'ObjectFilter', via: 'permission' }, /** * A list of criteria. If any of the criteria match the request, the action is allowed. * If no criteria are specified, it is ignored altogether. */ criteria: { collection: 'Criteria', via: 'permission' } }, afterValidate: [function validateOwnerCreateTautology(permission, next) { if (permission.relation == 'owner' && permission.action == 'create') { next(new Error('Creating a Permission with relation=owner and action=create is tautological')); } if (permission.action === 'delete' && _lodash2['default'].filter(permission.criteria, function (criteria) { return !_lodash2['default'].isEmpty(criteria.blacklist); }).length) { next(new Error('Creating a Permission with an attribute blacklist is not allowed when action=delete')); } if (permission.relation == 'user' && permission.user === "") { next(new Error('A Permission with relation user MUST have the user attribute set')); } if (permission.relation == 'role' && permission.role === "") { next(new Error('A Permission with relation role MUST have the role attribute set')); } next(); }] };