UNPKG

@superawesome/permissions

Version:

Fine grained permissions / access control with ownerships & attribute picking, done right.

permissions.docs.superawesome.com

SuperAwesomeLTD/permissions

67 lines (61 loc) 2.94 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
import { PermissionDefinition } from '../PermissionDefinitions'; import { isOwner_isDocCreatedByMeAndMyCompanyUsers, isOwner_isDocCreatedByMeAndMyManagedUsers, isOwner_isUserCreatorOfDocument, listOwned_DocsOfMeAndMyCompanyUsers, listOwned_DocsOfMeAndMyManagedUsers, listOwned_listUserCreatedDocuments, } from './data.fixtures'; import { EPossession } from '../types'; // note: we can't use new lines on PermissionDefinition.descr, as pOTS breaks prettier. export const PD_EXAMPLE_EMPLOYEE: PermissionDefinition = { roles: ['EMPLOYEE'], resource: 'document', descr: `> As an **EMPLOYEE**, I can **create**, **read** & **list** only my **OWN Documents (created by me)** , all attributes except **confidential**. Also, I can **list** all **Documents** on the system, but only access the **title** & **date** attributes.`, isOwner: isOwner_isUserCreatorOfDocument, listOwned: listOwned_listUserCreatedDocuments, possession: EPossession.own, grant: { create: ['*', '!confidential'], read: ['*', '!confidential'], list: ['*', '!confidential'], 'list:any': ['title', 'date'], }, }; export const PD_EXAMPLE_EMPLOYEE_MANAGER: PermissionDefinition = { roles: ['EMPLOYEE_MANAGER'], resource: 'document', descr: `> As a **EMPLOYEE_MANAGER**, I can **read**, **list**, **review** & **delete** all **Documents** created by **any User that I am managing**, all document attributes except **confidential**. Also, I can **list** all **Documents** on the system, but only access the **title**, **date** & **status** attributes.`, isOwner: isOwner_isDocCreatedByMeAndMyManagedUsers, listOwned: listOwned_DocsOfMeAndMyManagedUsers, possession: EPossession.own, // default from `possession` for all not having explicit (eg `read`) grant: { read: ['*', '!confidential', '!personal'], review: ['*', '!confidential', '!personal'], delete: ['*', '!confidential', '!personal'], list: ['*', '!confidential', '!personal'], 'list:any': ['title', 'date', 'status'], }, }; export const PD_EXAMPLE_COMPANY_ADMIN: PermissionDefinition = { roles: ['COMPANY_ADMIN'], resource: 'document', descr: `> As a **COMPANY_ADMIN**, I can **read**, **update** and **review** all **Documents** created by **any User in my Company**, all attributes.`, isOwner: isOwner_isDocCreatedByMeAndMyCompanyUsers, listOwned: listOwned_DocsOfMeAndMyCompanyUsers, possession: EPossession.own, grant: [`read`, `update`, `review`], }; export const PD_EXAMPLE_SUPER_ADMIN: PermissionDefinition = { roles: ['SUPER_ADMIN'], resource: '*', descr: `> As a **SUPER_ADMIN**, I can do all actions on **any resource** (not just documents), created by ANY User, ANY Company and access all attributes.`, grant: ['*'], }; export const permissionDefinitions_examples: PermissionDefinition[] = [ PD_EXAMPLE_EMPLOYEE, PD_EXAMPLE_EMPLOYEE_MANAGER, PD_EXAMPLE_COMPANY_ADMIN, PD_EXAMPLE_SUPER_ADMIN, ];