UNPKG

@superawesome/permissions

Version:

Fine grained permissions / access control with ownerships & attribute picking, done right.

permissions.docs.superawesome.com

SuperAwesomeLTD/permissions

146 lines (144 loc) 5.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.permissionDefinitions_limitOwned = exports.permissionDefinitions = exports.permissionDefinitionDefaults = void 0; const _ = require("lodash"); const data_fixtures_1 = require("./data.fixtures"); const types_1 = require("../types"); exports.permissionDefinitionDefaults = { resource: 'document' }; // @todo: these permissionDefinitions are used in the tests only and are NOT the same as in `detailed-usage-example.md.spec.ts` (should they be?) They do share the same data & owner hooks from "data.fixtures.ts" though. const PD_FIXTURES_EMPLOYEE = { roles: ['EMPLOYEE'], resource: 'document', // You can always override it here. descr: ` * I Can CRUD only OWN Documents (i.e created by me). * I Can't read or write 'price' and 'confidential' fields. `, isOwner: data_fixtures_1.isOwner_isUserCreatorOfDocument, listOwned: data_fixtures_1.listOwned_listUserCreatedDocuments, possession: types_1.EPossession.own, grant: { // all CRUD operations inherit possession: own from above create: ['*', '!price', '!confidential'], read: ['*', '!price', '!confidential'], update: ['*', '!price', '!confidential'], // ['*'] for test's sake :-) delete: ['*'], list: ['*'], publish: ['title', 'content', 'createDate'], share: ['title', 'content', 'publishDate'], // @note: override `possession: own` above in "list:own" with `list:any`, with DIFFERENT attributes 'list:any': ['title', 'createDate'], 'browse:any': ['title', 'content'], }, }; const PD_FIXTURES_EMPLOYEE_MANAGER_AND_QA_MANAGER = { roles: ['EMPLOYEE_MANAGER', 'QA_MANAGER'], // resource: 'document', not needed, using the defaults descr: ` * I Can CRUD all Documents that are created by me OR any User that I manage. * I can't read or write only the 'price' field. `, isOwner: data_fixtures_1.isOwner_isDocCreatedByMeAndMyManagedUsers, listOwned: data_fixtures_1.listOwned_DocsOfMeAndMyManagedUsers, /* Instead of grant: { 'create:own': ['*', '!price'], 'read:own': ['*', '!price'], 'update:own': ['*', '!price'], 'delete:own': ['*', '!price'], } we can keep DRYer with these 3 lines */ attributes: ['*', '!price'], possession: types_1.EPossession.own, grant: ['create', 'read', 'update', 'delete'], }; const PD_FIXTURES_COMPANY_ADMIN = { roles: 'COMPANY_ADMIN', descr: ` * I can CRUD all Documents that are created by me OR any User of my Company. `, isOwner: data_fixtures_1.isOwner_isDocCreatedByMeAndMyCompanyUsers, listOwned: data_fixtures_1.listOwned_DocsOfMeAndMyCompanyUsers, grant: { 'create:own': ['*'], 'read:own': ['*'], 'update:own': ['*'], 'delete:own': ['*'], }, }; const PD_FIXTURES_SUPER_ADMIN = { roles: 'SUPER_ADMIN', descr: ` * I can CREATE, VIEW, EDIT or DELETE any Document, by ANY user, company etc. * I can read or write to any field (except delete where I can only change 'deletedAt').`, // Although assumed `possession: EPossession.any` we still can have own hooks, to filter our own docs isOwner: data_fixtures_1.isOwner_isUserCreatorOfDocument, listOwned: data_fixtures_1.listOwned_listUserCreatedDocuments, grant: { 'create:any': ['*'], 'read:any': ['*'], 'update:any': ['*'], 'delete:any': ['deletedAt'], 'list:any': ['*', '!confidential'], 'browse:any': ['title', 'content', 'views', 'likes'], 'share:own': ['title', 'content', 'publishDate', 'createDate', 'revision'], }, }; const PD_FIXTURES_SUPER_ADMIN_COMMENT = { roles: 'SUPER_ADMIN', resource: 'comment', descr: ` * I can CREATE, VIEW, EDIT or DELETE any comment, by ANY user, company etc. * I can read or write to any field. `, grant: { // Not allowing 'create:any': ['*'], 'read:any': ['*'], 'update:any': ['*'], 'delete:any': ['*'], 'list:any': ['*'], 'like:any': ['*'], }, }; const PD_FIXTURES_GOD = { roles: 'GOD', resource: '*', descr: ` * I can any *Action on any *Resource! * I can to any those to any field. `, grant: { '*:any': ['*'], }, }; const PD_FIXTURES_SECURITY_HOLE = { roles: '*', resource: 'securityHole', descr: ` * ALL *Role can preview:any on securityHole! `, grant: { 'preview:any': ['*'], }, }; exports.permissionDefinitions = [ PD_FIXTURES_EMPLOYEE, PD_FIXTURES_EMPLOYEE_MANAGER_AND_QA_MANAGER, PD_FIXTURES_COMPANY_ADMIN, PD_FIXTURES_SUPER_ADMIN, PD_FIXTURES_SUPER_ADMIN_COMMENT, PD_FIXTURES_GOD, PD_FIXTURES_SECURITY_HOLE, ]; exports.permissionDefinitions_limitOwned = [ Object.assign(Object.assign({}, _.omit(PD_FIXTURES_EMPLOYEE, 'listOwned')), { limitOwned: data_fixtures_1.limitOwned_listUserCreatedDocuments }), Object.assign(Object.assign({}, _.omit(PD_FIXTURES_EMPLOYEE_MANAGER_AND_QA_MANAGER, 'listOwned')), { limitOwned: data_fixtures_1.limitOwned_DocsOfMeAndMyManagedUsers }), Object.assign(Object.assign({}, _.omit(PD_FIXTURES_COMPANY_ADMIN, 'listOwned')), { limitOwned: data_fixtures_1.limitOwned_DocsOfMeAndMyCompanyUsers }), Object.assign(Object.assign({}, _.omit(PD_FIXTURES_SUPER_ADMIN, 'listOwned')), { limitOwned: data_fixtures_1.limitOwned_listUserCreatedDocuments }), PD_FIXTURES_SUPER_ADMIN_COMMENT, PD_FIXTURES_GOD, PD_FIXTURES_SECURITY_HOLE, ]; //# sourceMappingURL=permissionDefinitions.fixtures.js.map