Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Simple authorisation addon for Ember.
Install this addon via ember-cli:
ember install ember-can
After installation you will need to add the following import to your app.js or app.ts:
import { extendResolver } from 'ember-can';
Next, replace Resolver = Resolver;
with:
Resolver = extendResolver(Resolver);
Without this update, the app will encounter an error where it cannot find your abilities.
After these changes your app file should look something like:
import Application from '@ember/application';
import Resolver from 'ember-resolver';
import loadInitializers from 'ember-load-initializers';
import config from 'my-app/config/environment';
import { extendResolver } from 'ember-can';
export default class App extends Application {
modulePrefix = config.modulePrefix;
podModulePrefix = config.podModulePrefix;
Resolver = extendResolver(Resolver);
}
loadInitializers(App, config.modulePrefix);
You want to conditionally allow creating a new blog post:
{{#if (can "create post")}}
Type post content here...
{{else}}
You can't write a new post!
{{/if}}
We define an ability for the Post
model in /app/abilities/post.js
:
// app/abilities/post.js
import { inject as service } from '@ember/service';
import { Ability } from 'ember-can';
export default class PostAbility extends Ability {
@service session;
@computed('session.currentUser')
get user() {
return this.session.currentUser;
}
@readOnly('user.isAdmin') canCreate;
get canCreate() {
return this.user.isAdmin;
}
}
We can also re-use the same ability to check if a user has access to a route:
// app/routes/posts/new.js
import Route from '@ember/routing/route';
import { inject as service } from '@ember/service';
export default class NewPostRoute extends Route {
@service abilities;
beforeModel(transition) {
let result = super.beforeModel(...arguments);
if (this.abilities.cannot('create post')) {
transition.abort();
return this.transitionTo('index');
}
return result;
}
}
And we can also check the permission before firing action:
import Component from '@ember/component';
import { inject as service } from '@ember/service';
import { action } from '@ember/object';
export default class CreatePostComponent extends Component {
@service abilities;
@action
createPost() {
if (this.abilities.can('create post', this.post)) {
// create post!
}
}
});
can
The can
helper is meant to be used with {{if}}
and {{unless}}
to protect a block (but can be used anywhere in the template).
{{can "doSth in myModel" model extraProperties}}
"doSth in myModel"
- The first parameter is a string which is used to find the ability class call the appropriate property (see Looking up abilities).
model
- The second parameter is an optional model object which will be given to the ability to check permissions.
extraProperties
- The third parameter are extra properties which will be assigned to the ability
As activities are standard Ember objects and computed properties if anything changes then the view will automatically update accordingly.
{{#if (can "edit post" post)}}
...
{{else}}
...
{{/if}}
As it's a sub-expression, you can use it anywhere a helper can be used. For example to give a div a class based on an ability you can use an inline if:
<div class={{if (can "edit post" post) "is-editable"}}>
</div>
cannot
Cannot helper is a negation of can
helper with the same API.
{{cannot "doSth in myModel" model extraProperties}}
An ability class protects an individual model which is available in the ability as model
.
Please note that all abilites names have to be in singular form
// app/abilities/post.js
import { computed } from '@ember/object';
import { Ability } from 'ember-can';
export default class PostAbility extends Ability {
// only admins can write a post
@computed('user.isAdmin')
get canWrite() {
return this.user.isAdmin;
}
// only the person who wrote a post can edit it
@computed('user.id', 'model.author')
get canEdit() {
return this.user.id === this.model.author;
}
}
// Usage:
// {{if (can "write post" post) "true" "false"}}
// {{if (can "edit post" post user=author) "true" "false"}}
If you need more than a single resource in an ability, you can pass them additional attributes.
You can do this in the helpers, for example this will set the model
to project
as usual,
but also member
as a bound property.
{{#if (can "remove member from project" project member=member)}}
...
{{/if}}
Similarly using abilities
service you can pass additional attributes after or instead of the resource:
this.abilities.can('edit post', post, { author: bob });
this.abilities.cannot('write post', null, { project: project });
These will set author
and project
on the ability respectively so you can use them in the checks.
In the example above we said {{#if (can "write post")}}
, how do we find the ability class & know which property to use for that?
First we chop off the last word as the resource type which is looked up via the container.
The ability file can either be looked up in the top level /app/abilities
directory, or via pod structure.
Then for the ability name we remove some basic stopwords (of, for in) at the end, prepend with "can" and camelCase it all.
For example:
String | property | resource | pod |
---|---|---|---|
write post | canWrite | /abilities/post.js | app/pods/post/ability.js |
manage members in project | canManageMembers | /abilities/project.js | app/pods/project/ability.js |
view profile for user | canViewProfile | /abilities/user.js | app/pods/user/ability.js |
Current stopwords which are ignored are:
The default lookup is a bit "clever"/"cute" for some people's tastes, so you can override this if you choose.
Simply extend the default AbilitiesService
in app/services/abilities.js
and override parse
.
parse
takes the ability string eg "manage members in projects" and should return an object with propertyName
and abilityName
.
For example, to use the format "person.canEdit" instead of the default "edit person" you could do the following:
// app/services/abilities.js
import Service from 'ember-can/services/abilities';
export default class AbilitiesService extends Service {
parse(str) {
let [abilityName, propertyName] = str.split('.');
return { propertyName, abilityName };
}
};
You can also modify the property prefix by overriding parseProperty
in our ability file:
// app/abilities/feature.js
import { Ability } from 'ember-can';
import { camelize } from '@ember/string';
export default class FeatureAbility extends Ability {
parseProperty(propertyName) {
return camelize(`is-${propertyName}`);
},
};
How does the ability know who's logged in? This depends on how you implement it in your app!
If you're using an Ember.Service
as your session, you can just inject it into the ability:
// app/abilities/foo.js
import { Ability } from 'ember-can';
import { inject as service } from '@ember/service';
export default class FooAbility extends Ability {
@service session;
}
The ability classes will now have access to session
which can then be used to check if the user is logged in etc...
In a component, you may want to expose abilities as computed properties so that you can bind to them in your templates.
import Component from '@ember/component';
import { inject as service } from '@ember/service';
import { computed } from '@ember/object';
export default class MyComponent extends Component {
@service abilities; // inject abilities service
post = null; // received from higher template
@computed('post')
get ability() {
return this.abilities.abilityFor('post', this.post /*, customProperties */);
}
}
// Template:
// {{if ability.canWrite "true" "false"}}
If you're using engines and you want to access an ability within it, you will need it to be present in your Engine’s namespace. This is accomplished by doing what is called a "re-export":
//my-engine/addon/abilities/foo-bar.js
export { default } from 'my-app/abilities/foo-bar';
See UPGRADING.md for more details.
Make sure that you've either ember install
-ed this addon, or run the addon
blueprint via ember g ember-can
. This is an important step that teaches the
test resolver how to resolve abilities from the file structure.
An ability unit test will be created each time you generate a new ability via
ember g ability <name>
. The package currently supports generating QUnit and
Mocha style tests.
For testing you should not need to specify anything explicitly. Anyway, you can stub the service following the official EmberJS guide if needed.
git clone https://github.com/minutebase/ember-can.git
cd ember-can
npm install
npm run lint:hbs
npm run lint:js
npm run lint:js -- --fix
ember test
– Runs the test suite on the current Ember versionember test --server
– Runs the test suite in "watch mode"ember try:each
– Runs the test suite against multiple Ember versionsember serve
For more information on using ember-cli, visit https://ember-cli.com/.
See the Contributing guide for details.
This version of the package is available as open source under the terms of the MIT License.
v7.0.0 (2024-09-24)
FAQs
Simple authorization addon for Ember apps
The npm package ember-can receives a total of 6,687 weekly downloads. As such, ember-can popularity was classified as popular.
We found that ember-can demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.