Package Exports
- access-control-rules
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (access-control-rules) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
access-control-rules
Access control for hierarchical data.
Why
Factored out of a hyperbase server implementation.
How
Make some rules:
var rules = {
'.read': true,
things: {
'$id': {
'.read': function (cb) {
cb(null, this.id === '0')
},
'.write': function (value, cb) {
cb(null, value && this.id === '0')
},
nested: {
reserved: {
'.write': false
}
}
}
}
}Then check to see if you have permission to read and write stuff:
var ac = require('access-control-rules')
ac.read(rules, null, '/things/0'.split('/'), function (err, allow) {
// allow === true
})
ac.read(rules, null, '/things/1'.split('/'), function (err, allow) {
// allow === false
})
ac.write(rules, null, '/things/0'.split('/'), 'thing!', , function (err, allow) {
// allow === true
})
ac.write(rules, null, '/things/1'.split('/'), 'thing!', function (err, allow) {
// allow === false
})
ac.write(rules, null, '/things/0'.split('/'))
// allow === false
})
ac.write(rules, null, '/things/0'.split('/'), { nested: { x: 42 }}, function (err, allow) {
// allow === true
})
ac.write(rules, null, '/things/0'.split('/'), { nested: { reserved: 42 }}, function (err, allow) {
// allow === false
})Test
$ npm test$ npm run test-browser (depends on a globally installed zuul)
Prior art
The idea is based on Firebase's security rules. The main important difference is that ".read" rules do not check any nested rules - this allows masking specific fields when reading objects.
License
WTFPL