dmapper / share-access Goto Github PK

JavaScript 100.00%

share-access's Introduction

Access-control plugin for sharejs, racer and derby

Usage

Plug in the middleware:

var shareAccess = require('share-access');

// plug in
shareAccess.setup(shareInstance);
// Or
derby.use(shareAccess);
// Or
racer.use(shareAccess);

Using share-access you can control create, read, update, and delete database operation for every collection. You can use two types of rules: allow and deny. By default all the operations are denied. So, you should add some rules to allow them. If at least one allow-rule allows the write, and no deny-rules deny the write, then the write is allowed to proceed.

You can call allow and deny-rules as many times as you like. The functions should return true if they think the operation should be allowed for allow rules and denied for deny-rules. Otherwise they should return false, or nothing at all (undefined).

Create

// Allow create-operation for collection 'items'

// docId - id of your doc for access-control
// doc   - document object
// session - your connect session

shareAccess.allowCreate('items', function(docId, doc, session){
  return true;
});

// Deny creation if user is not admin
shareAccess.denyCreate('items', function(docId, doc, session){
  return !session.isAdmin;
});

// So, finally, only admins can create docs in 'items' collection
// the same results is if you just write:

shareAccess.allowCreate('items', function(docId, doc, session){
  return session.isAdmin;
});

Read

Interface is like create-operation

shareAccess.allowRead('items', function(docId, doc, session){
  // Allow all operations
  return true;
});

shareAccess.denyRead('items', function(docId, doc, session){
  // But only if the reader is owner of the doc
  return doc.ownerId !== session.userId;
});

Delete

Interface is like create-operation

shareAccess.allowDelete('items', function(docId, doc, session){
  // Only owners can delete docs
  return doc.ownerId == session.userId;
});

shareAccess.denyDelete('items', function(docId, doc, session){
  // But deny deletion if it's a special type of docs
  return doc.type === 'liveForever';
});

Update

// docId - id of your doc for access-control
// oldDoc  - document object (before update)
// newDoc  - document object (after update)
// path    - array of update path segments - f.e = ['name'] if we are 
//           changing doc.name
// session - your connect session

shareAccess.allowUpdate('items', allowUpdateAll);

function allowUpdateAll(docId, oldDoc, newDoc, path, session){
  return true;
}

shareAccess.denyUpdate('items', denyForNonAdmin);

function denyForNonAdmin(docId, oldDoc, newDoc, path, session){
  // If you are not an admin you can change only 'description'
  return !session.isAdmin && path[0] !== 'description';
}

MIT License

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

share-access's People

Contributors

Stargazers

Watchers

Forkers

balek gitter-badger curran bbweb biggerflip

share-access's Issues

0.1.4 is not published in npm

You know what to do... :)

DenyRead not working properly

Hello,

Currently I have a test derby application with share-access. The deny-update function is working, but the deny-read function is not. I have the following deny-read function:

  shareAccess.denyRead('items', function(docId, doc, session) {
    return true;
  });

When I query the items with the following method:

    model.query('items', {}).ref('_page.items');

I do get the following error in my browser console:

403: Permission denied (read), collection: items, docId: 1dba676d-f6a0-4bcf-b248-9833027751ae microevent.js:45
Error: 403: Permission denied (read), collection: items, docId: 1dba676d-f6a0-4bcf-b248-9833027751ae {stack: (...), message: "403: Permission denied (read), collection: items, docId: 1dba676d-f6a0-4bcf-b248-9833027751ae"}

However, I still get the model in my app. Also when I run app.model.get('items. 1dba676d-f6a0-4bcf-b248-9833027751ae') I'm still getting the model in the output.

I'm using derby 0.6.0-alpha25, share 0.7.3, racer 0.6.0-alpha22 and share-access 0.1.3

Thanks in advance.

Read projection will never fire allowRead('projection')

// posts - is real collection
backend.addProjection('posts_projection', 'posts', {id: true, title: true});

backend.allowRead('posts', async (docId, doc, session) => {
  // Read posts_projection will fire this callback
  return true;
});

backend.allowRead('posts_projection', async (docId, doc, session) => {
  // We will never reach here and is still possible to read posts_projection
  return false;
});

In derbyjs-app:

 model.query('posts_users', {}); // Will fire allowRead('posts') instead of allowRead('posts_projection'), but this is wrong

no method 'filter'

> coffee server.coffee

Master pid  14891
TypeError: Object #<Backend> has no method 'filter'
  at Function.exports.setup (/home/user/project/node_modules/share-access/lib/index.js:28:15)
  at Racer.<anonymous> (/home/user/project/node_modules/share-access/lib/index.js:18:13)
  at Racer.emit (events.js:95:17)
  at Racer.createStore (/home/user/project/node_modules/derby/node_modules/racer/lib/Racer.server.js:9:8)
  at module.exports (/home/user/project/server/store.coffee:13:17)
  at /home/user/project/server.coffee:29:11
  at Racer.Derby.run (/home/user/project/node_modules/derby/lib/Derby.server.js:17:5)
  at Object.<anonymous> (/home/user/project/server.coffee:20:7)
  at Object.<anonymous> (/home/user/project/server.coffee:1:1)
  at Module._compile (module.js:456:26)
  at Object.exports.run (/home/user/project/node_modules/coffee-script/lib/coffee-script/coffee-script.js:134:23)
  at compileScript (/home/user/project/node_modules/coffee-script/lib/coffee-script/command.js:224:29)
  at compilePath (/home/user/project/node_modules/coffee-script/lib/coffee-script/command.js:174:14)
  at Object.exports.run (/home/user/project/node_modules/coffee-script/lib/coffee-script/command.js:98:20)
  at Object.<anonymous> (/home/user/project/node_modules/coffee-script/bin/coffee:7:41)
  at Module._compile (module.js:456:26)
  at Object.Module._extensions..js (module.js:474:10)
  at Module.load (module.js:356:32)
  at Function.Module._load (module.js:312:12)
  at Function.Module.runMain (module.js:497:10)
  at startup (node.js:119:16)
  at node.js:935:3

I have derby 0.7.1 and only 2 additionsl code lines in server.coffee

async = require 'async'
derby = require 'derby'

shareAccess = require 'share-access'
derby.use shareAccess

Client keep retrying after failed op

Using derby 0.6.0-alpha61 if the server rejects an op the client keeps retrying over and over.

Error example done on a del op

Error: Op apply failed and the operation could not be reverted dosc.8272454f-6c43-4d9a-aa53-037b46506a90 {"a":"ack","error":"403: Permission denied (delete), collection: docs, docId: 8272454f-6c43-4d9a-aa53-037b46506a90","c":"docs","d":"8272454f-6c43-4d9a-aa53-037b46506a90"}