accesscontrol-re
Advanced tools
A facade enhancing the great javascript [Access Control](https://onury.io/accesscontrol), but with much desired missing features!
A facade enhancing the great javascript Access Control, but with much desired missing features!
Allowing custom Actions, beyond CRUD (create, read, update, delete) actions. You can have actions like like, follow, list, share, approve and anything your business domain requires. See https://github.com/onury/accesscontrol/issues/46
Allowing '*' for *Actions and *Resources on grants, eg:
// GOD can do any *Action on any *Resource!
{
role: 'GOD',
resource: '*',
grant: {
'*:any': ['*'],
},
}
This will actually allow any known Action against any known Resource, so use with caution!
import { IAccessInfo } from 'accesscontrol';
import { addAccessInfo, build } from 'accesscontrol-re';
const accessInfos: IAccessInfo[] = [
{
role: 'user',
resource: 'comment',
action: 'list:any',
attributes: ['*', '!secret'],
}, ...
]
addAccessInfo(accessInfos);
const ac: AccessControl = build(); // @note: can call only `_.once`!
// you should use `ac.permission()` only from now on :-)
Only the .grant(accessInfo: IAccessInfo) and .permission(queryInfo: IQueryInfo) are supported, not the chained fluent methods like createAny & updateOwn. The upside of this is that you can do anything without those, and they are cleaner and easier to use for DB or bulk creation & querying of permissions than the fluent ones.
This problem could be solved with the new JavaScript Proxy, but I wont even bother :-)
There is some patching going on, as this is not a fork or reworked version of Access Control, just a facade. This is actually a very good point, cause Access Control version 2.x is just in peerdependencies so its updates on your local version will be picked up.
You need to create ALL your grants before you can use it & call .build to retrieve an ActionControl instance with the grants locked. This is due to the way the '*' actions & resources actually work: the '*' is forcing all known actions / resources to be created. Also you can call build() only _.once, it has no effect after that (use require-clean if you want a fresh instance :-).
@todo: .extend is disabled by design and is discouraged, for your own sake. Its evil to use while this is open https://github.com/onury/accesscontrol/issues/34#issuecomment-466387586 - when closed I'll happily add it :-)
Order of addAccessInfo, matters!
Custom Possessions (beyond 'any' & 'own') - completing https://github.com/onury/accesscontrol/issues/46)
Role '*' wildcard - scenarios like *Any Role can Visit the Homepage, eg role: '*'
Add most of Actions, Resources or Possessions, using negate wildcards, eg: action: ['*', '!drop_entity_table'].
If other goodies and Access Control issues solved via this facade seem important to me, they will!
PRs, with tests + rationale, more than welcome :-)
MIT
FAQs
A facade enhancing the great javascript [Access Control](https://onury.io/accesscontrol), but with much desired missing features!
We found that accesscontrol-re demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
Socket researchers uncover how threat actors weaponize Out-of-Band Application Security Testing (OAST) techniques across the npm, PyPI, and RubyGems ecosystems to exfiltrate sensitive data.
Security News
Research
A malicious npm campaign is targeting Ethereum developers by impersonating Hardhat plugins and the Nomic Foundation, stealing sensitive data like private keys.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.