deadalready / easy-rbac Goto Github PK

Allow a user to provide a , in the permission string and then split on the , so that you don't have to glob all permissions but instead you can add a subset. This will cut down on redundant permission string lines.

Thanks for the great little library -- it's very useful!

I use easy-rbac as my authz layer in an Angular 10.x web app. This has brought to my attention that this is packaged as a legacy CommonJS module (I think), which is quite difficult for tree-shakers like webpack to optimise. This causes Angular to complain about the module.

WARNING in /Users/abc/src/xyz/src/app/abc.ts depends on 'easy-rbac'. CommonJS or AMD dependencies can cause optimization bailouts.
For more info see: https://angular.io/guide/build#configuring-commonjs-dependencies

Might it be possible to re-spin this module with ECMAScript exports, as well?

Thank you for your consideration.

I came from your awesome blog post! I have implemented exactly a similar RBAC in one of my projects, however, it does not include the conditional part of it.
My question to you is how can we store those conditions in Database?

I also have another one: What would you suggest if I want Porperty/Role based access control:
For eg: Suppose I have a user property as location! Now I want to give Admin set of privileges to Mr.x but only on other users belonging to his same location. So Mr. x can modify/delete users only belonging in his location.
I think it can be done using the condition part but would like to hear what you have to say.

Hope I'm clear.

Good day,

I have been using your nice library for Node app and React app both are running in production at the moment. Thanks for your great job.

One thing I noticed that if a when function throw an error. The error is being swallowed and easyRBAC return false instead!
With that being siad, it is impossible to know if easyRBAC returns false because when function return false or because it throws an error.

After debugging this library I found the issue in these lines:
https://github.com/DeadAlready/easy-rbac/blob/master/lib/rbac.js#L159
https://github.com/DeadAlready/easy-rbac/blob/master/lib/rbac.js#L176
https://github.com/DeadAlready/easy-rbac/blob/master/lib/utils.js#L19
https://github.com/DeadAlready/easy-rbac/blob/master/lib/utils.js#L29

If you agree with me that easyRBAC should not swallow errors and it should just re-throw errors back to the caller. I would be happy to provide PR if you are busy.

Thanks

I have multiple operations that need checked before giving the access.
If all the operations are valid then rbac should return true else err
Looping through promises and waiting for them seems ugly.

Hi @DeadAlready, first thanks for contributing this library to the OSC!

I was wondering what your disposition is to adding support to wildcard '*' in role initialization.

Some cases worth considering:

Admin
The admin role can do anything -- maybe this is the super user, maybe this is a system operation. But rather than configuring by hand every single operation -- wildcard resource and wildcard action would be a great catch all.

{
 admin: {
    can: ['*:*']
  }
}

Resource Manager
A role that has total responsibility over some resource - maybe articles for the news page, or comments from blog, etc.

{
 editor: {
    can: ['article:*']
  }
}

Moderator
A role that has specific responsibilities over multiple resources - like flagging posts or comments as inappropriate.

{
 moderator: {
    can: ['*:flag']
  }
}

Using wildcard for resources and actions we can provide catchall's that can be reasonably expected to keep working with the addition of new resources or actions on resources without having to update all existing role configurations with new permission.

It is not responding when I am checking an inherited conditional operation resulting unauthorized.

let roles = {
  user: {
    can: [{
      name: "account:view", // can view own account
      when: function(param, callback) {
         setImmediate(callback, null, false); // always false, just for test.
      }
    }]
  },
  writer: {
    can: ["post:create", {
      name: "post:update",
      when: function(param, callback) {
         setImmediate(callback, null, if(own by writer));
      }
    }],
    inherits: ["user"]
  },
  admin: {
    can: ["anything"],
    inherits: ["writer"]
  }
}

when I try to check if writer is allowed to account:view or not, it never responds when its false.
But for conditional operation resulting true it works perfect.

When I say responds, meaning Callback execution

I created some TypeScript definitions to the DT project, just wanted to ask if that's cool?

DefinitelyTyped/DefinitelyTyped#43149

Thank you for the great article at https://blog.nodeswat.com/implement-access-control-in-node-js-8567e7b484d1
I have looked through the repo and tried to use this package - it looks great, however I am missing an ability to provide multiple roles for can method.

I have implemented a naive solution for this use case at https://github.com/agoldis/easy-rbac/blob/multi_roles/lib/rbac.js#L180

Would that be a suitable case for PR?

Would you to share your opinion on getting multiple roles for a user properly for RBAC.

Thank you!

It would be great to have a memoization strategy implemented, for better lookup performance.
Adding memoizee (in a configurable way) may be a good choice.

Hello,

Q changed the way it handles the error message when a Q.any does not return fulfillment value.

err.message = ("Q can't get fulfillment value from any promise, all " +
                      "promises were rejected. Last error message: " + err.message);

see commit https://github.com/kriskowal/q/pull/740/files#diff-a148bc52a39c990d02038097d8177455R1628

So the tests are not valid anymore, because err.message is not anymore equals to 'unauthorized' but instead it is 'Q can't get fulfillment value from any promise, all promises were rejected. Last error message: unauthorized'

Using this module with typescript, wrote this ts.d file, but I'm not confident enough to submit to the @types repository. Thought I'd put it up here to get feedback before submitting.

declare module "easy-rbac" {

    interface when {  
        (theNumber: number) : number;
    }

    interface canObj {
        name: string;
        when: (params:any, callback:() => void) => void;
    }

    interface opts {
        [propName: string]: {
            can: (string | canObj)[],
            inherits?: string[]
        }
    }

    class RBAC {

        constructor(opts:opts);

        can(role: string, operation: string, cb?: (err: any, can: boolean) => void): void;
        can(role: string, operation: string, params?:any): Promise<void>;

        static create(opts: opts): RBAC

    }

    export = RBAC;

}