deadalready / easy-rbac Goto Github PK
View Code? Open in Web Editor NEWRBAC implementation for Node.js
License: MIT License
RBAC implementation for Node.js
License: MIT License
Allow a user to provide a , in the permission string and then split on the , so that you don't have to glob all permissions but instead you can add a subset. This will cut down on redundant permission string lines.
Thanks for the great little library -- it's very useful!
I use easy-rbac as my authz layer in an Angular 10.x web app. This has brought to my attention that this is packaged as a legacy CommonJS module (I think), which is quite difficult for tree-shakers like webpack to optimise. This causes Angular to complain about the module.
WARNING in /Users/abc/src/xyz/src/app/abc.ts depends on 'easy-rbac'. CommonJS or AMD dependencies can cause optimization bailouts.
For more info see: https://angular.io/guide/build#configuring-commonjs-dependencies
Might it be possible to re-spin this module with ECMAScript exports, as well?
Thank you for your consideration.
I came from your awesome blog post! I have implemented exactly a similar RBAC in one of my projects, however, it does not include the conditional part of it.
My question to you is how can we store those conditions in Database?
I also have another one: What would you suggest if I want Porperty/Role based access control:
For eg: Suppose I have a user property as location
! Now I want to give Admin
set of privileges to Mr.x but only on other users belonging to his same location. So Mr. x can modify/delete users only belonging in his location.
I think it can be done using the condition part but would like to hear what you have to say.
Hope I'm clear.
Good day,
I have been using your nice library for Node app and React app both are running in production at the moment. Thanks for your great job.
One thing I noticed that if a when
function throw an error. The error is being swallowed and easyRBAC return false
instead!
With that being siad, it is impossible to know if easyRBAC returns false
because when
function return false
or because it throws an error.
After debugging this library I found the issue in these lines:
https://github.com/DeadAlready/easy-rbac/blob/master/lib/rbac.js#L159
https://github.com/DeadAlready/easy-rbac/blob/master/lib/rbac.js#L176
https://github.com/DeadAlready/easy-rbac/blob/master/lib/utils.js#L19
https://github.com/DeadAlready/easy-rbac/blob/master/lib/utils.js#L29
If you agree with me that easyRBAC should not swallow errors and it should just re-throw errors back to the caller. I would be happy to provide PR if you are busy.
Thanks
I have multiple operations that need checked before giving the access.
If all the operations are valid then rbac should return true else err
Looping through promises and waiting for them seems ugly.
Hi @DeadAlready, first thanks for contributing this library to the OSC!
I was wondering what your disposition is to adding support to wildcard '*' in role initialization.
Some cases worth considering:
Admin
The admin role can do anything -- maybe this is the super user, maybe this is a system operation. But rather than configuring by hand every single operation -- wildcard resource and wildcard action would be a great catch all.
{
admin: {
can: ['*:*']
}
}
Resource Manager
A role that has total responsibility over some resource - maybe articles for the news page, or comments from blog, etc.
{
editor: {
can: ['article:*']
}
}
Moderator
A role that has specific responsibilities over multiple resources - like flagging posts or comments as inappropriate.
{
moderator: {
can: ['*:flag']
}
}
Using wildcard for resources and actions we can provide catchall's that can be reasonably expected to keep working with the addition of new resources or actions on resources without having to update all existing role configurations with new permission.
It is not responding when I am checking an inherited conditional operation resulting unauthorized.
let roles = {
user: {
can: [{
name: "account:view", // can view own account
when: function(param, callback) {
setImmediate(callback, null, false); // always false, just for test.
}
}]
},
writer: {
can: ["post:create", {
name: "post:update",
when: function(param, callback) {
setImmediate(callback, null, if(own by writer));
}
}],
inherits: ["user"]
},
admin: {
can: ["anything"],
inherits: ["writer"]
}
}
when I try to check if writer
is allowed to account:view
or not, it never responds when its false
.
But for conditional operation resulting true
it works perfect.
When I say responds
, meaning Callback execution
I created some TypeScript definitions to the DT project, just wanted to ask if that's cool?
Thank you for the great article at https://blog.nodeswat.com/implement-access-control-in-node-js-8567e7b484d1
I have looked through the repo and tried to use this package - it looks great, however I am missing an ability to provide multiple roles for can
method.
I have implemented a naive solution for this use case at https://github.com/agoldis/easy-rbac/blob/multi_roles/lib/rbac.js#L180
Would that be a suitable case for PR?
Would you to share your opinion on getting multiple roles for a user properly for RBAC.
Thank you!
It would be great to have a memoization strategy implemented, for better lookup performance.
Adding memoizee (in a configurable way) may be a good choice.
Hello,
Q changed the way it handles the error message when a Q.any does not return fulfillment value.
err.message = ("Q can't get fulfillment value from any promise, all " +
"promises were rejected. Last error message: " + err.message);
see commit https://github.com/kriskowal/q/pull/740/files#diff-a148bc52a39c990d02038097d8177455R1628
So the tests are not valid anymore, because err.message is not anymore equals to 'unauthorized'
but instead it is 'Q can't get fulfillment value from any promise, all promises were rejected. Last error message: unauthorized'
Using this module with typescript, wrote this ts.d file, but I'm not confident enough to submit to the @types repository. Thought I'd put it up here to get feedback before submitting.
declare module "easy-rbac" {
interface when {
(theNumber: number) : number;
}
interface canObj {
name: string;
when: (params:any, callback:() => void) => void;
}
interface opts {
[propName: string]: {
can: (string | canObj)[],
inherits?: string[]
}
}
class RBAC {
constructor(opts:opts);
can(role: string, operation: string, cb?: (err: any, can: boolean) => void): void;
can(role: string, operation: string, params?:any): Promise<void>;
static create(opts: opts): RBAC
}
export = RBAC;
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.