Permissions provide information about the actions a user is allowed to perform against an API. This module wraps a permissionArray - which contains the permission data - and provides methods to extract information from it.
The permissionArray is an array of permission objects. Each one ties a user to actions relevant to a specific object or topic. Permission objects have three keys:
A permissionArray represents the union of all its permissions; the user who owns it can access everything each permissions allows him to. When multiple permissions can match an object, their grants are OR'd together.
var PermissionSet = require('flexperm');
var permArray = [ {
target: 'ordering',
match: {
brandId: 'zcafe'
},
grant: {
get: true,
cancel: true,
void: true
}
} ];
var permSet = new PermissionSet(permArray);
var grant = permSet.getTargetGrant('ordering', {
brandId: 'zcafe',
orderId: 'abcde12345'
});
getTargetGrant takes a target and an object to match the permission against; the match object of the permArray is used as query against the object given to getTargetGrant. Since the targets are the same and the match...well, matches, this permission's grant can be used.
getTargetGrant returns a Grant object, which contains information about all the grants that matched the query. It is used to determine whether specific operations are permitted. The methods to use depend on what you are trying to do. The use cases for permissions fall into two broad categories, which are outlined below.
When dealing with direct object access through the API, permissions are used to restrict what users can do to those objects, and to which parts of them. An example permission of this sort:
{
target: 'User',
match: {
ns: 'brand_zcafe'
},
grant: {
read: true,
readMask: true,
update: true,
updateMask: {
phone: true,
email: true
}
}
}
The user here is given permission to read the user data for any user belonging to the zcafe namespace, and may update
them as well - however, his updates may only touch the phone and email fields.
In order to validate that a given update is permissible, we must check both that the requesting user has both update permission and that his updateMask allows all his update parameters.
// var permSet, updateData both set
var user = getUserData(/*...*/);
var grant = permSet.getTargetGrant('User', user);
grant.check('update'); // Throws XError on failure
grant.checkMask('updateMask', updateData); // Throws XError on failure
Permission are also used to restrict access to API calls that don't pertain to accessing objects. In this case, the argument to 'getTargetGrant' will be a 'virtual' object that represents the parameters to the procedure. The grant will generally be a map of procedure names to true, representing the procedures. Consider the first example again:
// An brand admin with access to view, cancel, and void any order in his brand
var permArray = [ {
target: 'ordering',
match: {
brandId: 'zcafe'
},
grant: {
get: true,
cancel: true,
void: true
}
} ];
var permSet = new PermissionSet(permArray);
var orderPermissionData = {
brandId: 'zcafe',
orderId: 'abcde12345'
};
// Is user authorized to void a specific order?
permSet.getTargetGrant('ordering', orderPermissionData).check('void'); // returns true
// Is user authorized to submit a specific order?
permSet.getTargetGrant('ordering', orderPermissionData).check('submit'); // throws XError
// Is user authorized to submit an order for a different brand?
orderPermissionData.brandId = 'billy-bobs-burger-bayou';
permSet.getTargetGrant('ordering', orderPermissionData).check('void'); // throws XError
There is occasionally a need to have authorization represented by a number instead of a boolean, such as when restricting the size of a file a user may upload. There is a special syntax for this:
var permSet = new PermissionSet([ {
target: 'file',
match: { /*...*/ },
grant: {
fileSize: {
grantNumber: true,
min: 0,
max: 1000
}
}
} ])
var grant = permSet.getTargetGrant('file', { filename: 'thing.txt' });
grant.checkNumber('fileSize', 50); // Returns true
grant.checkNumber('fileSize', 5000); // Throws XError
A target can have the special value '*', which will match every target checked against it. Thus, an admin permission, one that will be authorized to do anything, looks like this:
{
target: '*',
match: {},
grant: true
}
FAQs
Flexible, granular, and fast permissions
The npm package flexperm receives a total of 15 weekly downloads. As such, flexperm popularity was classified as not popular.
We found that flexperm demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Company News
Socket is joining TC54 to help develop standards for software supply chain security, contributing to the evolution of SBOMs, CycloneDX, and Package URL specifications.
Security News
PyPI now allows maintainers to archive projects, improving security and helping users make informed decisions about their dependencies.
Research
Security News
Malicious npm package postcss-optimizer delivers BeaverTail malware, targeting developer systems; similarities to past campaigns suggest a North Korean connection.