UNPKG

@kurbar/access-control

Version:

Role, Attribute and Condition based Access Control for Node.js

github.com/kurbar/access-control

kurbar/access-control

230 lines (229 loc) 8.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.Access = void 0; var utils_1 = require("./../utils/"); /** * Represents the inner `Access` class that helps build an access information * to be granted or denied; and finally commits it to the underlying grants * model. You can get a first instance of this class by calling * `AccessControl#grant()` or `AccessControl#deny()` methods. * @class * @inner * @memberof AccessControl */ var Access = /** @class */ (function () { /** * Initializes a new instance of `Access`. * @private * * @param {Any} grants * Main grants object. * @param {String|Array<String>|IAccessInfo} roleOrInfo * Either an `IAccessInfo` object, a single or an array of * roles. If an object is passed and attributes * properties are optional. CAUTION: if attributes is omitted, * and access is not denied, it will default to `["*"]` which means * "all attributes allowed". * @param {Boolean} denied * Specifies whether this `Access` is denied. */ function Access(grants, roleOrInfo) { /** * Inner `IAccessInfo` object. * @protected * @type {IAccessInfo} */ this._ = {}; this._grants = grants; if (typeof roleOrInfo === 'string' || Array.isArray(roleOrInfo)) { this.role(roleOrInfo); } else if (utils_1.CommonUtil.type(roleOrInfo) === 'object') { // if an IAccessInfo instance is passed and it has 'action' defined, we // should directly commit it to grants. this._ = roleOrInfo; } if (utils_1.CommonUtil.isInfoFulfilled(this._)) { utils_1.CommonUtil.commitToGrants(grants, this._); } } // ------------------------------- // PUBLIC METHODS // ------------------------------- /** * A chainer method that sets the role(s) for this `Access` instance. * @param {String|Array<String>} value * A single or array of roles. * @returns {Access} * Self instance of `Access`. */ Access.prototype.role = function (value) { this._.role = value; return this; }; /** * A chainer method that sets the resource for this `Access` instance. * @param {String|Array<String>} value * Target resource for this `Access` instance. * @returns {Access} * Self instance of `Access`. */ Access.prototype.resource = function (value) { this._.resource = value; return this; }; /** * Commits the grant * @returns {Access} * Self instance of `Access`. */ Access.prototype.commit = function () { utils_1.CommonUtil.commitToGrants(this._grants, this._); return this; }; /** * Sets the resource and commits the * current access instance to the underlying grant model. * * @param {String|Array<String>} [resource] * Defines the target resource this access is granted or denied for. * This is only optional if the resource is previously defined. * If not defined and omitted, this will throw. * @param {String|Array<String>} [attributes] * Defines the resource attributes for which the access is granted * for. If granted before via `.grant()`, this will default * to `["*"]` (which means all attributes allowed.) * * @throws {AccessControlError} * If the access instance to be committed has any invalid * data. * * @returns {Access} * Self instance of `Access` so that you can chain and define * another access instance to be committed. */ Access.prototype.on = function (resource, attributes) { return this._prepareAndCommit(this._.action, resource, attributes); }; /** * Sets the array of allowed attributes for this `Access` instance. * @param {String|Array<String>} value * Attributes to be set. * @returns {Access} * Self instance of `Access`. */ Access.prototype.attributes = function (value) { this._.attributes = value; return this; }; /** * Sets condition for this `Access` instance. * @param {ICondition | string | Function} value * Conditions to be set. * @returns {Access} * Self instance of `Access`. */ Access.prototype.condition = function (value) { this._.condition = value; return this; }; /** * Sets the roles to be extended for this `Access` instance. * @param {String|Array<String>} roles * A single or array of roles. * @returns {Access} * Self instance of `Access`. */ Access.prototype.extend = function (roles) { // When extending role we are not checking for conditions so we can use sync method return this.extendSync(roles); }; /** * Sets the roles to be extended for this `Access` instance. * @param {String|Array<String>} roles * A single or array of roles. * @returns {Access} * Self instance of `Access`. */ Access.prototype.extendSync = function (roles) { utils_1.CommonUtil.extendRoleSync(this._grants, this._.role, roles); return this; }; /** * Shorthand to switch to a new `Access` instance with a different role * within the method chain. * * @param {String|Array<String>|IAccessInfo} [roleOrInfo] * Either a single or an array of roles or an * {@link ?api=ac#AccessControl~IAccessInfo|`IAccessInfo` object}. * * @returns {Access} * A new `Access` instance. * * @example * ac.grant('user').createOwn('video') * .grant('admin').updateAny('video'); */ Access.prototype.grant = function (roleOrInfo) { return (new Access(this._grants, roleOrInfo)).attributes(['*']); }; /** * Sets the action. * * @param {String} action * Defines the action this access is granted for. * * @returns {Access} * Self instance of `Access` so that you can chain and define * another access instance to be committed. */ Access.prototype.execute = function (action) { this._.action = action; return this; }; /** * Alias of `execute` */ Access.prototype.action = function (action) { this._.action = action; return this; }; /** * Sets the condition for access. * * @param {String} condition * Defines the action this access is granted for. * * @returns {Access} * Self instance of `Access` so that you can chain and define * another access instance to be committed. */ Access.prototype.when = function (condition) { this._.condition = condition; return this; }; // ------------------------------- // PRIVATE METHODS // ------------------------------- /** * @private * @param {String} action [description] * @param {String|Array<String>} resource [description] * @param {String|Array<String>} attributes [description] * @returns {Access} * Self instance of `Access`. */ Access.prototype._prepareAndCommit = function (action, resource, attributes) { this._.action = action; if (resource) this._.resource = resource; if (attributes) this._.attributes = attributes; utils_1.CommonUtil.commitToGrants(this._grants, this._); // important: reset attributes for chained methods this._.attributes = undefined; return this; }; return Access; }()); exports.Access = Access;