An Access Control List module for node.js. Good for protecting user resources and operations.
owner('johnDoe')
.in('posts')
.select('XXX-YYY-ZZZ')
.can('edit')
.success(function(){
// ... handle success
})
.deny(function(reason){
// ... handle permission denied
})
.error(function(error){
// ... handle error
})
npm install owner
- Easy to use API
- Perfect for middleware
- Grant, Revoke, and Check Permissions
- Query Owner Resources, Resource Methods, Models
- Supports file system storage by default
- Support for custom storage mechanisms (mongodb/mysql/rethinkdb etc.)
- Owner/Model/Resource/Method Identifiers are simple Strings
You won't really encounter with these definitions until you fiddle around with Events and Custom Storage, but it's good to know anyway:
Resource
: A Protected Resource Identifier (ex: a specific Post in a blog)Model
: An identifier for a Model of Resources (ex: Posts in a blog)Owner
: The Resource Owner (ex: The Logged-In User)Method
: A Resource's Method Identifier (ex:comment
,edit
,delete
)
All of them can be virtually anything. They are plain old Strings. What makes them special is the relationship with your protected data.
var Owner = require('owner');
var owner = new Owner();
owner.storage('file', '/path/to/file.json')
Give access to all
methods for *
(anyone) on the requested post
resource:
// Grant Controller
function grant($){
owner('*')
.in('posts')
.select($.params.id)
.grant('*')
.success($.return())
.error(function(error){
throw error;
})
}
// Route
app.post('/posts/:postId/public', posts.public, grant)
Give access to all
methods for the session user
on the requested post
resource:
// Grant Controller
function grant($){
owner($.user.id)
.in('posts')
.select($.params.id)
.grant('*')
.success($.return())
.error(function(error){
throw error;
})
}
// Route
app.post('/posts/:postId/create', grant, posts.comment)
Give access to comment
and edit
methods for the session user
on the requested post
resource:
// Grant Controller
function grant($){
owner($.user.id)
.in('posts')
.select($.params.id)
.grant('comment', 'edit') // or ['comment', 'edit']
.success($.return())
.error(function(error){
throw error;
})
}
// Route
app.post('/posts/:postId/create', grant, posts.create)
Revoke grant to comment
method from the session user
on the requested post
resource.
// Revoke Controller
function revoke($){
owner($.user.id)
.in('posts')
.select($.params.id)
.revoke('comment')
.success($.return())
.error(function(error){
throw error;
})
}
// Route
app.post('/posts/:postId/remove', revoke, posts.remove)
Revoke grant completely from the session user
to the requested post
resource:
// Revoke Controller
function revoke($){
owner($.user.id)
.in('posts')
.select($.params.id)
.revoke('*')
.success($.return())
.error(function(error){
throw error;
})
}
// Route
app.post('/posts/:postId/remove', revoke, posts.remove)
Check if the session user
has access to the requested post
resource:
// Check Controller
function check($){
owner($.user.id)
.in('posts')
.select($.params.postId)
.can('*')
.success($.return)
.error(function(error, reason){
if(error) throw error;
if(reason) $.end('Cannot post: ' + reason);
})
}
// Route
app.post('/posts/:postId', check, posts.view)
Check if the session user can comment on the requested post:
// Check Controller
function check(){
owner($.user.id)
.in('posts')
.select($.params.postId)
.can('comment')
.success($.return)
.error(function(error, reason){
$.notFound()
})
}
// Route
app.post('/posts/:postId/comment', check, posts.comment)
check if the session user can comment on the requested post
// Method Controller
function methods($){
owner($.user.id)
.in('posts')
.select($.params.postId)
.list('methods')
.success($.return)
.error(function(error, reason){
$.notFound()
})
}
// Route
app.post('/posts/:postId', methods, posts.view)
List all post resources
owned by the session user
:
// Resource Controller
function resources($){
owner($.userId)
.in('posts')
.list('resources')
.success(function(data){
$.data.resources = data.resources;
$.return()
})
.error(function(error, reason){
$.notFound()
})
}
// Route
app.post('/user/:userId', resources, posts.view)
List all post resources
owned by the session user
:
// Model Controller
function models($){
owner($.userId)
.list('models')
.success(function(data){
$.data.resources = data.models;
$.return()
})
.error(function(error, reason){
$.notFound()
})
}
// Route
app.post('/user/:userId', models, posts.view)
Select an Owner with the specified ownerId (string)
Filter Resources within a Model.
Select a Resource with the specified resourceId.
Check if a Resource with the specified resourceId belongs to the specified User
Check if an Owner has permission to a Method with the specified methodId
for the previously selected resource.
Give an Owner permission to a Method with the specified methodId
for the previously selected resource.
Give an Owner permission to a Method with the specified methodId
for the previously selected resource.
Get a list of models
, resources
, and methods
or all
them.
Function to run when the operation was successful. The data attribute in callback is only available when the .list()
method is used.
Function to run when the operation has failed.
Examples:
owner.someMethod([a,b,c]) // multiple in array
owner.someMethod(a,b,c) // multiple
owner.someMethod(a) // single
owner.someMethod('*') // all
The default storage stores permissions in a file and caches it into memory.
To have custom storage you will have to handle the grant
, revoke
and request
events.
owner.on('grant', function(event){
// ... save to mongodb ...
successCallback()
})
owner.on('revoke', function(event){
// ... remove permission from mongodb
succesCallback()
})
owner.on('request', function(event){
// ... check permissions in mongodb
successCallback()
})
Event Object owner
- model
- resource
- method
- success
- deny
- error