carbond.security.Acl

User and group based access control for endpoints

Instance Properties

entries
AclEntry[]
Default []
Description description An array of ACL descriptors. Each descriptor provides the mechanism to match against a user object by ID or group membership and determine the whether or not a request is allowed for the user and operation using some predicate.
groupDefinitions
Object.<string, (function()|string)>
Default {}
Description This is mapping of group names to “extractors”. An extractor can be a function or a string. If it is a function, it should take a user object as its sole argument and return the group name as a string. Otherwise, it should be a string in property path notation (e.g., “foo.bar.baz”).
permissionDefinitions
Object.<string, (boolean|function())>
Default {}
Description A map of operation name (e.g., ‘get’ or, for collections, ‘find’) to predicate. The predicate can be a boolean or Function. If it is a function, it should take a user and env as arguments.

Methods

and  
Arguments
  • acl (Acl) – The second ACL
Return type Acl
Description Generates an ACL that is the logical conjunction of this ACL and a second ACL
hasPermission  
Arguments
  • user (Object) – A user object
  • permission (string) – The name of the operation being authorized
  • env (Object.<string, Object>) – Request context (e.g., {req: req})
Throws Error
Returns Whether or not the request is authorized
Return type boolean
Description Determines whether the current request is allowed based on the current user (as returned by authenticate) and operation
or  
Arguments
  • acl (Acl) – The second ACL
Return type Acl
Description or Generates an ACL that is the logical disjunction of this ACL and a second ACL

Typedef: AclEntry

Properties

user
string | Object.<string, (string|function())>
Required
Description This is either a “user spec” or a “group spec”. A “user spec” is simply a string. This string either maps to a user ID or it is the wildcard character (“*”), thereby matching any user. A “group spec” is an object with a single key. The value for this key is the group identifier we expect to find in a user object. To extract this group identifier, the same key is used to look up an “extractor” in groupDefinitions.
permissions
Object.<string, (boolean|function())>
Required
Description A map of operation name (e.g., ‘get’ or, for collections, ‘find’) to predicate. The predicate can be a boolean or Function. If it is a function, it should take a user and env as arguments.