Is there any example how to use updateOwn?

[bhargav-sae]

Could you provide any example how to use updateOwn?

[onury]

Sure.

Scenario: Role "user" can read any photo resource but update own photos only.

Example:

Define Access Permissions

var ac = new AccessControl();
ac.grant('user')
    .readAny('photo', ['*', '!id'])
    .updateOwn('photo', ['*', '!id']);

Note that the user can only update own photo resource but cannot alter the id of the photo resource, even if its own photo.

Define App Routes

For an express.js app, we'll define 2 routes for the photo resource.

1. Any-photo route: GET /photos/:id

    router.get('/photos/:id', function (req, res, next) {
        var permission = ac.can(req.user.role).readAny('photo');
        if (permission.granted) {
            Photo.find({ id: req.params.id }, function (err, data) {
                if (err || !data) return res.status(404).end();
                // filter data by permission attributes and send.
                res.json(permission.filter(data)); // .id is filtered out
            });
        } else {
            // resource is forbidden for this user/role
            res.status(403).end();
        }
    });

2. Own-photo route: PUT /users/:username/photos/:id

    router.put('/users/:username/photos/:id', function (req, res, next) {
        var role = req.user.role;
        // check if the request is for own photos or any
        var permission = (req.user.name === req.params.username)
            ? ac.can(role).updateOwn('photo')
            : ac.can(role).updateAny('photo');
        
        if (permission.granted) {
            // we filter the posted request body so that only 
            // allowed attributes are used to update the resource.
            var sanitizedData = permission.filter(req.body); // .id is filtered out
            Photo.update(req.params, sanitizedData, function (err, result) {
                // either send 404 if not found or 5xx if a server/database error
                if (err || !result) return res.status(404).end();
                res.json(result);
            });
        } else {
            res.status(403).end(); // forbidden
        }
    });

Hope this makes it clear for you.

[bhargav-sae]

I believe for this you have to include :username in route.
what if I do not have any :username in route? for example PUT /photos/:id

[onury]

That's a design decision. I gave you just one scenario. What you're asking is a question for REST API design.

AccessControl only tells you whether a specific role is authorized to access own/any resource(s). It has no information (or goal) to check whether the actual resource (the record) is owned by a specific, actual user.

It only checks if an action is allowed on "own" (or "any") resource. This is by definition.

The route /photos/:id has no claim of a resource owner (implicit role) in the query params (and probably none in req body). So your middleware should get the original resource owner itself and determine whether this is a request for an own resource. If so, AC can check whether that role can actually preform that action on own resource.

In other words,

• identifying whether an actual request is for an owned resource
• checking whether a role can perform some action on own resource(s)

are two different things.

[bhargav-sae]

@onury alright, thanks for quick replies.

[Vishwas-75]

updateOwn it should throw an error if req. body consists of inaccessible attributes .
@onury