module:api/acl
- Description:
ACL for access authorization.
Each ACL is a list of RegExps with a name.
ACLs are grouped by a role, at least one must match in order to succeed.
The are 3 predefned ACLS:
- public - list of files and endpoints to allow access without authentication, default public endpoints are:
^/$, .htm$, .html$, .ico$, .gif$, .png$, .jpg$, .jpeg$, .svg$, .ttf$, .eot$, .woff$, .woff2$, .js$, .css$, ^/js/, ^/css/, ^/img, ^/webfonts/, ^/public/, ^/ping- authenticated - only authenticated user can access such endpoints
- anonymous - same as public but still goes thru authentication to get current user if provided
To define an ACL named test with endpoints and allow it for user bit not intern roles:
api-acl-add-test = /url1|/url2... api-acl-allow-user = test api-acl-deny-intern = testThe user and intern roles are defined in the DbUser table, see module:api/users
- Source:
Examples
make everything public
api-acl-add-public = ^/all authenticated users can access /auth endpoint
api-acl-authenticated = auth
api-acl-add-auth = ^/authonly admins can access /admin endpoint
api-acl-allow-admin = auth, admins
api-acl-add-admins = ^/adminusers can access /users but not /users/billing
api-acl-allow-user = auth, users, -users_deny
api-acl-add-users = ^/user
api-acl-add-users_deny = ^/user/billingMethods
(static) isAllowed(req) → {boolean}
- Description:
For the current user check allowed ACLs return true if matched
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
req |
Request |
Returns:
| Type | Description |
|---|---|
| boolean |
(static) isAnonymous(req) → {boolean}
- Description:
Returns true if the current request is allowed for public or authenticated access
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
req |
Request |
Returns:
| Type | Description |
|---|---|
| boolean |
(static) isAuthenticated(req) → {boolean}
- Description:
Returns true if the current request is must be authenticated
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
req |
Request |
Returns:
| Type | Description |
|---|---|
| boolean |
(static) isDenied(req) → {boolean}
- Description:
For the current user check not-allowed ACLs return true if matched
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
req |
Request |
Returns:
| Type | Description |
|---|---|
| boolean |
(static) isMatched(path, acls) → {boolean}
- Description:
Check the path agains given ACL list, if an ACL starts with
-it means negative match, the check fails immediately
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
path |
string | |
acls |
Array.<object> |
Returns:
| Type | Description |
|---|---|
| boolean |
(static) isPublic(req) → {boolean}
- Description:
Returns true if the current request is allowed for public access
- Source:
Parameters:
| Name | Type | Description |
|---|---|---|
req |
Request |
Returns:
| Type | Description |
|---|---|
| boolean |
(static) reset()
- Description:
Reset all acls
- Source: