@superawesome/permissions/src/__tests__/permissionDefinitions.fixtures.ts

Fine grained permissions / access control with ownerships & attribute picking, done right.

import * as _ from 'lodash';
import { PermissionDefinition, PermissionDefinitionDefaults } from '../PermissionDefinitions';
import {
  isOwner_isDocCreatedByMeAndMyCompanyUsers,
  isOwner_isDocCreatedByMeAndMyManagedUsers,
  isOwner_isUserCreatorOfDocument,
  limitOwned_DocsOfMeAndMyCompanyUsers,
  limitOwned_DocsOfMeAndMyManagedUsers,
  limitOwned_listUserCreatedDocuments,
  listOwned_DocsOfMeAndMyCompanyUsers,
  listOwned_DocsOfMeAndMyManagedUsers,
  listOwned_listUserCreatedDocuments,
} from './data.fixtures';
import { EPossession } from '../types';

export const permissionDefinitionDefaults: PermissionDefinitionDefaults = { resource: 'document' };

// @todo: these permissionDefinitions are used in the tests only and are NOT the same as in `detailed-usage-example.md.spec.ts` (should they be?) They do share the same data & owner hooks from "data.fixtures.ts" though.

const PD_FIXTURES_EMPLOYEE = {
  roles: ['EMPLOYEE'],
  resource: 'document', // can be omitted, since it's the default (in the readme example & tests).
  // You can always override it here.
  descr: `
      * I Can CRUD only OWN Documents (i.e created by me).
      * I Can't read or write 'price' and 'confidential' fields.
    `,
  isOwner: isOwner_isUserCreatorOfDocument,
  listOwned: listOwned_listUserCreatedDocuments,
  possession: EPossession.own,
  grant: {
    // all CRUD operations inherit possession: own from above
    create: ['*', '!price', '!confidential'],
    read: ['*', '!price', '!confidential'],
    update: ['*', '!price', '!confidential'],
    // ['*'] for test's sake :-)
    delete: ['*'],
    list: ['*'],
    publish: ['title', 'content', 'createDate'],
    share: ['title', 'content', 'publishDate'],
    // @note: override `possession: own` above in "list:own" with `list:any`, with DIFFERENT attributes
    'list:any': ['title', 'createDate'],
    'browse:any': ['title', 'content'],
  },
};

const PD_FIXTURES_EMPLOYEE_MANAGER_AND_QA_MANAGER = {
  roles: ['EMPLOYEE_MANAGER', 'QA_MANAGER'],
  // resource: 'document', not needed, using the defaults
  descr: `
      * I Can CRUD all Documents that are created by me OR any User that I manage.
      * I can't read or write only the 'price' field.
    `,
  isOwner: isOwner_isDocCreatedByMeAndMyManagedUsers,
  listOwned: listOwned_DocsOfMeAndMyManagedUsers,
  /* Instead of

        grant: {
          'create:own': ['*', '!price'],
          'read:own': ['*', '!price'],
          'update:own': ['*', '!price'],
          'delete:own': ['*', '!price'],
        }

    we can keep DRYer with these 3 lines
  */
  attributes: ['*', '!price'],
  possession: EPossession.own, // equivalent to string 'own'
  grant: ['create', 'read', 'update', 'delete'],
};

const PD_FIXTURES_COMPANY_ADMIN = {
  roles: 'COMPANY_ADMIN',
  descr: `
      * I can CRUD all Documents that are created by me OR any User of my Company.
    `,
  isOwner: isOwner_isDocCreatedByMeAndMyCompanyUsers,
  listOwned: listOwned_DocsOfMeAndMyCompanyUsers,
  grant: {
    'create:own': ['*'],
    'read:own': ['*'],
    'update:own': ['*'],
    'delete:own': ['*'],
  },
};
const PD_FIXTURES_SUPER_ADMIN = {
  roles: 'SUPER_ADMIN',
  descr: `
      * I can CREATE, VIEW, EDIT or DELETE any Document, by ANY user, company etc.
      * I can read or write to any field (except delete where I can only change 'deletedAt').`,
  // Although assumed `possession: EPossession.any` we still can have own hooks, to filter our own docs
  isOwner: isOwner_isUserCreatorOfDocument,
  listOwned: listOwned_listUserCreatedDocuments,
  grant: {
    'create:any': ['*'],
    'read:any': ['*'],
    'update:any': ['*'],
    'delete:any': ['deletedAt'],
    'list:any': ['*', '!confidential'], // moreThanEmployee but withLimits
    'browse:any': ['title', 'content', 'views', 'likes'],
    'share:own': ['title', 'content', 'publishDate', 'createDate', 'revision'],
  },
};
const PD_FIXTURES_SUPER_ADMIN_COMMENT = {
  roles: 'SUPER_ADMIN',
  resource: 'comment', // override default ('document')
  descr: `
      * I can CREATE, VIEW, EDIT or DELETE any comment, by ANY user, company etc.
      * I can read or write to any field.
    `,
  grant: {
    // Not allowing 'create:any': ['*'],
    'read:any': ['*'],
    'update:any': ['*'],
    'delete:any': ['*'],
    'list:any': ['*'],
    'like:any': ['*'],
  },
};
const PD_FIXTURES_GOD = {
  roles: 'GOD',
  resource: '*',
  descr: `
      * I can any *Action on any *Resource!
      * I can to any those to any field.
    `,
  grant: {
    '*:any': ['*'],
  },
};
const PD_FIXTURES_SECURITY_HOLE = {
  roles: '*',
  resource: 'securityHole',
  descr: `
      * ALL *Role can preview:any on securityHole!
    `,
  grant: {
    'preview:any': ['*'],
  },
};

export const permissionDefinitions: PermissionDefinition[] = [
  PD_FIXTURES_EMPLOYEE,
  PD_FIXTURES_EMPLOYEE_MANAGER_AND_QA_MANAGER,
  PD_FIXTURES_COMPANY_ADMIN,
  PD_FIXTURES_SUPER_ADMIN,
  PD_FIXTURES_SUPER_ADMIN_COMMENT,
  PD_FIXTURES_GOD,
  PD_FIXTURES_SECURITY_HOLE,
];

export const permissionDefinitions_limitOwned: PermissionDefinition[] = [
  { ..._.omit(PD_FIXTURES_EMPLOYEE, 'listOwned'), limitOwned: limitOwned_listUserCreatedDocuments },
  {
    ..._.omit(PD_FIXTURES_EMPLOYEE_MANAGER_AND_QA_MANAGER, 'listOwned'),
    limitOwned: limitOwned_DocsOfMeAndMyManagedUsers,
  },
  {
    ..._.omit(PD_FIXTURES_COMPANY_ADMIN, 'listOwned'),
    limitOwned: limitOwned_DocsOfMeAndMyCompanyUsers,
  },
  {
    ..._.omit(PD_FIXTURES_SUPER_ADMIN, 'listOwned'),
    limitOwned: limitOwned_listUserCreatedDocuments,
  },
  PD_FIXTURES_SUPER_ADMIN_COMMENT,
  PD_FIXTURES_GOD,
  PD_FIXTURES_SECURITY_HOLE,
];