UNPKG

capstone-accesscontrol

Version:

Role and Attribute based Access Control for Node.js

github.com/onury/accesscontrol

onury/accesscontrol

158 lines (157 loc) 5.64 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.Permission = void 0; var utils_1 = require("../utils"); /** * Represents the inner `Permission` class that defines the granted or denied * access permissions for the target resource and role. * * You can check for a permission in two ways: * * <ul> * <li> * You can first obtain a {@link ?api=ac#AccessControl~Query|`Query` instance} * via {@link ?api=ac#AccessControl#can|`AccessControl#can`} which returns * a `Permission` instance when an action method such as * {@link ?api=ac#AccessControl~Query#createAny|`.createAny()`} is * called. * <p><pre><code> var permission = ac.can('user').createAny('video'); * console.log(permission.granted); // boolean</code></pre></p> * </li> * <li> * Or you can call {@link ?api=ac#AccessControl#permission|`AccessControl#permission`} * by passing a fulfilled {@link ?api=ac#AccessControl#IQueryInfo|`IQueryInfo` object}. * <p><pre><code> var permission = ac.permission({ * role: 'user', * resource: 'video', * action: 'create', * possession: 'any' * }); * console.log(permission.granted); // boolean</code></pre></p> * </li> * </ul> * * @class * @inner * @memberof AccessControl */ var Permission = /** @class */ (function () { /** * Initializes a new `Permission` instance. * @private * * @param {IQueryInfo} query * An `IQueryInfo` arbitrary object. */ function Permission(grants, query) { /** * @private */ this._ = {}; // set attributes first. this also validates the `query` object. this._.attributes = utils_1.utils.getUnionAttrsOfRoles(grants, query); this._.role = query.role; this._.resource = query.resource; this._.value = query.value; } Object.defineProperty(Permission.prototype, "roles", { /** * Specifies the roles for which the permission is queried for. * Even if the permission is queried for a single role, this will still * return an array. * * If the returned array has multiple roles, this does not necessarily mean * that the queried permission is granted or denied for each and all roles. * Note that when a permission is queried for multiple roles, attributes * are unioned (merged) for all given roles. This means "at least one of * these roles" have the permission for this action and resource attribute. * * @name AccessControl~Permission#roles * @type {Array<String>} * @readonly */ get: function () { return this._.role; }, enumerable: false, configurable: true }); Object.defineProperty(Permission.prototype, "resource", { /** * Specifies the target resource for which the permission is queried for. * * @name AccessControl~Permission#resource * @type {String} * @readonly */ get: function () { return this._.resource; }, enumerable: false, configurable: true }); Object.defineProperty(Permission.prototype, "attributes", { /** * Gets an array of allowed attributes which are defined via * Glob notation. If access is not granted, this will be an empty array. * * Note that when a permission is queried for multiple roles, attributes * are unioned (merged) for all given roles. This means "at least one of * these roles" have the permission for this action and resource attribute. * * @name AccessControl~Permission#attributes * @type {Array<String>} * @readonly */ get: function () { return this._.attributes; }, enumerable: false, configurable: true }); Object.defineProperty(Permission.prototype, "granted", { /** * Specifies whether the permission is granted. If `true`, this means at * least one attribute of the target resource is allowed. * * @name AccessControl~Permission#granted * @type {Boolean} * @readonly */ get: function () { var _this = this; if (!this.attributes || this.attributes.length === 0) return false; // just one non-negated attribute is enough. return this.attributes.some(function (attr) { if (typeof attr === 'string') { return attr.trim().slice(0, 1) !== '!'; } else if (typeof attr === 'object') { if (attr['value'] !== '*' && attr['value'] !== _this._.value) { return false; } } return true; }); }, enumerable: false, configurable: true }); /** * Filters the given data object (or array of objects) by the permission * attributes and returns this data with allowed attributes. * * @param {Object|Array} data * Data object to be filtered. Either a single object or array * of objects. * * @returns {Object|Array} * The filtered data object. */ Permission.prototype.filter = function (data) { return utils_1.utils.filterAll(data, this.attributes); }; return Permission; }()); exports.Permission = Permission;