User and group based access control for endpoints
Description description An array of ACL descriptors. Each descriptor provides the mechanism to match against a user object by ID or group membership and determine the whether or not a request is allowed for the user and operation using some predicate.
Description This is mapping of group names to “extractors”. An extractor can be a function or a string. If it is a function, it should take a user object as its sole argument and return the group name as a string. Otherwise, it should be a string in property path notation (e.g., “foo.bar.baz”).
Description A map of operation name (e.g., ‘get’ or, for collections, ‘find’) to predicate. The predicate can be a boolean or Function. If it is a function, it should take a user and env as arguments.
- acl (
Acl) – The second ACL
Description Generates an ACL that is the logical conjunction of this ACL and a second ACL
- acl (
- user (Object) – A user object
- permission (string) – The name of the operation being authorized
- env (Object.<string, Object>) – Request context (e.g.,
Throws Error Returns Whether or not the request is authorized Return type boolean Description Determines whether the current request is allowed based on the current user (as returned by
authenticate) and operation
string | Object.<string, (string|function())>
Required Description This is either a “user spec” or a “group spec”. A “user spec” is simply a string. This string either maps to a user ID or it is the wildcard character (“*”), thereby matching any user. A “group spec” is an object with a single key. The value for this key is the group identifier we expect to find in a user object. To extract this group identifier, the same key is used to look up an “extractor” in
Required Description A map of operation name (e.g., ‘get’ or, for collections, ‘find’) to predicate. The predicate can be a boolean or Function. If it is a function, it should take a user and env as arguments.