Package Exports
- abacl
- abacl/lib/index.js
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (abacl) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
Attribute Based Access Control Library
The Attribute-Based Access-Control Library let you define five can access ability:
- Who can? the answer is
role- Like RBAC a user can have roles. - How can it? the answer is
action- You can defineanyactions you want (scoped). - What can? the answer is
subject- You can defineallsubjects you want (scoped). - Where can? the answer is
location- With IP and CIDR you can find the location of users. - When can it? the answer is
time- Subject availabilities with cron expression and a duration.
Quick Start Guide
Read more on defining
scopedactionandsubjectability in this link.
installation
npm install --save abaclUsage
Define your user abilities as a json array, so you can store it in your database:
import { AccessAbility } from 'abacl';
const abilities: AccessAbility[] = [
{ // the admin ability can do `any`thing with `all` subjects
role: 'admin',
action: 'any',
subject: 'all',
},
{ // ability scoped by published articles
role: 'guest',
action: 'read',
subject: 'article:published',
},
{ // the manager can to `any`thing with articles
role: 'manager',
action: 'any',
subject: 'article',
},
{ // the user can create own articles (scoped by own)
role: 'user',
action: 'create:own',
subject: 'article',
field: ['*', '!owner'], // filters the input data of the user
location: ['127.0.0.1', '192.168.1.0/24'],
time: [
{ // from 8AM to 6PM
cron_exp: '* * 8 * * *', // every day from 8AM
duration: 10 * 60 * 60, // 10 hours in seconds
},
],
},
{
role: 'user',
action: 'read:own',
subject: 'article',
},
{ // the user can read shared articles without `id` properties
role: 'user',
action: 'read:shared',
subject: 'article',
filter: ['*', '!id'], // filters output data
},
{
role: 'user',
action: 'delete:own',
subject: 'article',
},
{
role: 'user',
action: 'update:own',
subject: 'article',
field: ['*', '!owner'],
},
];Article and User definition objects:
const user = {
id: 1,
role: 'user',
ip: '192.168.1.100',
};
const article = {
id: 1,
owner: 'user',
title: 'title',
content: 'content',
};Create a new access control object, then get the permission grants:
import AccessControl from 'abacl';
const ac = new AccessControl(abilities);
const permission = ac.can([user.role], 'read', 'article');
if (permission.granted) {
if (permission.has('own')) {
// user has read owned article objects
}
if (permission.has('shared')) {
// user can access shared article objects
}
// do something ...
const response = permission.grant('shared').filter(article);
// Now response has no `id` property so sent it to user
}Time and location access check example:
import { Permission } from 'abacl';
const ac = new AccessControl(abilities);
const permission = ac.can([user.role], 'create', 'article', (perm: Permission) => {
return perm.grant().location(user.ip) && perm.grant().time();
});
if (permission.granted) {
const inputData = permission.grant().field(article);
// the `inputData` has not `owner` property
// do something and then return results to user
}Thanks a lot
accesscontrol - Role and Attribute based Access Control for Node.js
CASL is an isomorphic authorization JavaScript library which restricts what resources a given user is allowed to access.