UNPKG

@inspire-platform/sails-hook-permissions

Version:

Comprehensive user permissions and entitlements system for sails.js and Waterline. Supports user authentication with passport.js, role-based permissioning, object ownership, and row-level security.

github.com/conceptainc/sails-hook-permissions

conceptainc/sails-hook-permissions

134 lines (112 loc) 5 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
# Managing Using Library The permissions service app makes it easy to manage permissions from custom controllers, services, or pretty much any other code which is executed after the permissions hook has been full loaded. > _You can also use the Sails.js REST [blueprint routes](Managing-REST.md) to accomplish the same thing._ ## Creating Roles There are two ways to create a new `Role`: Let's say you want to create a new role called `collaborator`, and assign it to User `mrpibb`: 1. The same way you would create any other sails.js object: ```js User.findOne({ username: 'mrpibb' }) .then(function (user) { return Role.create({ name: 'collaborator', users: [ user.id ] }) .then(function (role) { console.log(role); }) .catch(function (error) { console.error(error); }); ``` 2. Via the PermissionService helper method ’createRole’. Note that this method requires creating one or more `Permission` objects as part of the method call (see the 'permissions' key in the object passed into the createRole function below). ```js PermissionService.createRole({ name: 'collaborator', users: 'mrpibb', permissions: [{ model: 'mymodel', action: 'create' }, { model: 'myothermodel', action: 'read' }] }) ```` ## Creating Permissions Creating a Role is super easy. By default, new Roles have no Permissions. There are two ways to grant new `Permissions` to a `Role`: Let's say you want to grant Users with the role collaborator with the ability to create and read all Project and Issue objects. 1. Create Permission objects just like any other sails.js model, and associate it with a Role. ```js Promise.bind({ }, Role.findOne({ name: 'collaborator' }) .then(function (role) { this.role = role; return Model.find({ name: [ 'Project', 'Issue' ] }); }) .map(function (model) { return [ Permission.create({ model: model.id, action: 'create', role: this.role.id }), Permission.create({ model: model.id, action: 'read', role: this.role.id }) ]; }) .spread(function (createPermission, readPermission) { sails.log('new create permission', createPermission); sails.log('new read permission', readPermission); }) .catch(sails.log.error); ``` 2. Use the PermissionService helper method ‘grant’. ```js Promise.all([PermissionService.grant({ role: 'collaborator', model: 'Project', action: 'read'}), PermissionService.grant({ role: 'collaborator', model: 'Project', action: 'create'}), PermissionService.grant({ role: 'collaborator', model: 'Issue', action: 'read'}), PermissionService.grant({ role: 'collaborator', model: 'Issue', action: 'create'}]) .spread(function (projectRead, projectCreate, issueRead, issueCreate) { sails.log('new read Project permission', projectRead); sails.log('new create Project permission', projectCreate); sails.log('new read Issue permission', issueRead); sails.log('new create Issue permission', issueCreate); }); ``` ## Revoking Permissions Permissions are revoked simply by deleting the relevant Permission object, or by using the PermissionService helper method ‘revoke’. Let's say we want to revoke the `create` Permission we just granted to the `collaborator` Role for `Project`. ```js Promise.bind({ }, Role.findOne({ name: 'collaborator' }) .then(function (role) { this.role = role; return Model.findOne({ name: 'Project' }); }) .then(function (model) { return Permission.destroy({ model: model.id, action: 'read', role: role.id, }); }) .then(function () { sails.log('revoked "read" from "collaborator" on "Project"'); }) .catch(sails.log.error); ``` There is also a helper method in PermissionService named ‘revoke’: ```js PermissionService.revoke({ model: 'project', action: 'read', role: 'collaborator', relation: 'role' }) .then(function () { sails.log('revoked “read” from “collaborator” on “Project”'); }); ``` ## Role add/remove Users: PermissionService has helpers to facilitate adding users to and removing users from a role. You can pass a single username or an array of usernames to these functions. ```js PermissionService.addUsersToRole('someusername', 'collaborator') .then(function () { sails.log('added “someusername” to role “collaborator”'); }); PermissionService.removeUsersFromRole(['someusername', 'mrpibb'], 'collaborator') .then(function () { sails.log('removed “someusername” and “mrpibb” from role “collaborator”'); }); ```