Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
93 lines (75 sloc) 2.62 KB

ACL Rules

Palisade has three categories of security rules:

document

  • Each key is an operation type (for example: list, read, create, delete, update) that can be performed at a document level
  • You may specify any number of operation types named however you like
    • Personally, I always use these ones as they translate well to REST endpoints:
      • list - Can they query for more than one document
      • read - Can they read a single document
      • create - Can they create a new document
      • update - Can they update fields on an existing document
      • replace - Can they completely replace an existing document
      • delete - Can they delete an existing document

read

  • Each key is a field name that corresponds to your schema
  • The value is an array of roles that can update the field
  • The value can also be an object with more fields inside of it for nested data

write

  • Each key is a field name that corresponds to your schema
  • The value is an array of roles that can update the field
  • The value can also be an object with more fields inside of it for nested data

Example Schema

In this example ruleset:

  • Anyone can list users
  • Anyone can read a single user
  • Anyone read a user's public fields id and name
  • Users can update themselves, but only their own birthday
  • Admins can create, update, replace, or delete any user
var userSchema = {
  document: {
    read: ['public'],
    create: ['admin'],
    update: ['admin', 'self'],
    replace: ['admin'],
    delete: ['admin']
  },
  read: {
    id: ['public'],
    name: ['public'],
    birthday: ['admin', 'self'],
    times: {
      created: ['admin']
    }
  },
  write: {
    id: ['admin'],
    name: ['admin'],
    birthday: ['admin', 'self'],
    times: {
      created: ['admin']
    }
  }
};

If you don't define a category or a rule for a field or type, the default is to deny access.

Plugging it in

To add the security functionality to a Thinky model, pass the palisade function the model and your security schema.

This does a few things:

  • Adds a .screen() function to the Model class and all Model instances
  • Adds a .authorized() function to the Model class and all Model instances
  • Adds your security ruleset as a .security property on the Model class
    • This makes it easy for models to extend eachother's security rules
import db from 'connections/thinky'
import palisade from 'palisade'

const User = db.createModel('User', {
  id: String,
  name: String,
  birthday: Date,
  times: {
    created: Date
  }
})
palisade(User, userSchema)