api/acl

module:api/acl

Description:
  • ACL for access authorization.

    Each ACL is a list of RegExps with a name.

    ACLs are grouped by a role, at least one must match in order to succeed.

    To define an ACL named test with endpoints and allow it for user but not intern roles:

    api-acl-add-test = /url1|/url2...
    
    api-acl-allow-user = test
    api-acl-deny-intern = test
    

    The user and intern roles are defined in the DbUser table, see module:api/users

Source:
Examples

public endpoints by convention to use * as fallback, used in module:middleware/users

api-acl-add-* = ^/
api-acl-add-* = ^/auth

only admins can access /admin endpoint

api-acl-allow-admin = admins
api-acl-add-admins = ^/admin

users can access /users but not /users/billing

api-acl-allow-user = auth, users, -users_deny
api-acl-add-users = ^/user

api-acl-add-users_deny = ^/user/billing

Methods

(static) isAllowed(path, roles) → {undefined|string}

Description:
  • Check the path and roles against allowed ACLs

Source:
Parameters:
Name Type Description
path string
roles Array.<string>
Returns:
Type Description
undefined | string
  • matched role
Example
api.acl.isAllowed(context.path, ["admin", "billing"])

(static) isDenied(path, roles) → {undefinded|string}

Description:
  • Check the path and roles against denied ACLs

Source:
Parameters:
Name Type Description
path string
roles Array.<string>
Returns:
Type Description
undefinded | string
  • matched role
Example
api.acl.isDenied(context.path, ["admin", "billing"])

(static) isMatched(path, acls) → {undefined|null|string}

Description:
  • Check the path agains given list of ACL names, if a name starts with - it means negative match, the check fails immediately and returns null

Source:
Parameters:
Name Type Description
path string
acls string | Array.<string>
Returns:
Type Description
undefined | null | string
  • matched positive acl
Example
api.acl.isMatched(context.path, "*");
api.acl.isMatched(context.path, ["user", "-intern"]);
api.acl.isMatched(context.path, "admin");

(static) reset()

Description:
  • Reset all acls

Source: