Coder Social home page Coder Social logo

rbac2's Introduction

rbac2

NPM version Build Status David DM

Simple RBAC checker with support for context checks.

Installation

npm install rbac2

Usage

Simple roles

var RBAC = require('rbac2');

var rules = [
    {a: 'author', can: 'publish posts'},
    {a: 'editor', can: 'edit posts'},
    {a: 'editor', can: 'author'},
    {a: 'admin',  can: 'editor'},
    {a: 'admin',  can: 'do admin'}
];

var rbac = new RBAC(rules);

// Perform a check
rbac.check('admin', 'edit posts', function (err, result) {
    // result: true
});

Adding context checks

You can specify context checks in rules by adding a when function:

var rules = [
    {a: 'author', can: 'publish posts'},
    {a: 'editor', can: 'edit posts'},
    {a: 'user',   can: 'editor', when: function (params, callback) {
        db.findOne('tbl_post_editors', {
            'post_id': params.postId,
            'user_id': params.userId
        }, callback);
    }},
    {a: 'editor', can: 'author'},
    {a: 'admin',  can: 'editor'},
    {a: 'admin',  can: 'do admin'}
];

And check by passing context parameters:

rbac.check('user', 'edit posts', {postId: 23, userId:12}, function (err, result) {
    // ...
});

In the code above, we set the rule that any user can become the editor for a post only if that user has the 'editor' role for the post in the database. Here, when is a user-provided check that will be given params from the check call.

After doing business logic checks, the when function should call the callback as callback(err, result), where result should be boolean. (If err is not null, then result is considered false)

About rules

No subject, role or permission - only hierarchy

This is valid:

var rules = [
    {a: 'editor',     can: 'edit posts'},
    {a: 'edit posts', can: 'change post url'}
];

Cyclic hierarchy is NOT supported

This is invalid:

var rules = [
    {a: 'admin', can: 'user'},
    {a: 'user',  can: 'admin', when: function (err, callback) {...}}
];

and will result in an indefinite loop.

Conditional and non-conditional paths

Given these rules:

var rules = [
    {a: 'editor', can: 'edit posts'},
    {a: 'user',   can: 'editor', when: function (params, callback) {
        // business logic check
    }},
    {a: 'admin',  can: 'user'}
];

If we check from a 'user' role:

rbac.check('user', 'edit posts', {...}, function (err, res) {
    // ...
});

The following path is checked:

'user' --> 'editor' [conditional] --> 'edit posts'

To go from 'user' to 'editor', the context condition must be satisfied.

But, if we check from a 'admin' role:

rbac.check('admin', 'edit posts', function (err, res) {
    // ...
});

The following path is checked:

'admin' --> 'user' --> 'editor' [conditional] --> 'edit posts'

To go from 'admin' to 'user', there is no condition. So the rest of the path is considered to be checked AND successful.

In general: Paths are traveresed continuously till conditional checks exist; if a node in the path is hopped without a conditional check, the remaining path is considered to be solved and the result is true.

Multiple paths to same permission

For the following rules:

var rules = [
    {a: 'editor', can: 'edit posts'},
    {a: 'user',   can: 'editor', when: function (params, callback) {
        // business logic check
    }},
    {a: 'user',   can: 'edit posts'}
];

If you do the following check:

rbac.check('user', 'edit posts', function (err, res) {
    // ...
});

Then we have these possible paths:

1] 'user' --> 'edit posts'
2] 'user' --> 'editor' [conditional] --> 'edit posts'

Paths are checked in serial order. The shortest path is picked up first (though it might not take the least time if conditional). When the match is found, any remaining paths are not checked and the result is returned immediately.

Testing

Install dev dependencies and run:

npm test

License

MIT

rbac2's People

Contributors

swarajgiri avatar

Watchers

James Cloos avatar avatar

Forkers

petrocloud fengweijp lazarevich kscc25

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.