feathers-mongoose-acl v1.0.3
feathers-mongoose-acl
feathers-mongoose-acl (or fma for short) gives you the power to adds a simple yet powerful access layer mechanism to your feathers-mongoose app.
fma comes built it with two layers of access control.
Document level access control and Field level access control.
With document level access layer, you can control which user role can have access to a document inside each service method call.
With field level access layer, you can control which user can a field in the document.
Getting Started
npm i feathers-mongoose-acl
Basic Usage Example
import {OR, ACCESS_LAYER, AccessLayerHookExternal} from 'feathers-mongoose-acl'
const createdByUser = context => {createdBy: context.params.user._id}
const assignedToUser = context => {assignedTo: context.params.user._id}
const access: ACCESS_LAYER = {
DOC_ACCESS: {
find: { ADMIN: true, '*': OR(createdByUser, assignedToUser)},
remove: { ADMIN: true }
},
NONE_PATCHABLE_FIELDS: {
ADMIN: {},
'*': {
fields: ['deleted', 'role', 'account'],
throw: true
}
}
}
const before: Partial<HookMap> = {
all: [index.authenticate(['jwt']), AccessLayerHookExternal(access)]
}Let's unpack what we've done here.
1. we create access layer object. each access layer object has doc access, and none_patchable_fields.
in doc access, we defined for each method the user roles that have access to a document through service method calls.
for example in "find" method, we give admin user permission to access all documents, but for all other user roles
we only allow a user to access a document if he created it or if he is assigned to it.
2. we defined none patchable fields, as their name indicates, once defined for a role, if he tries to modify them through patch, he will recieve an error.(if defined throw: true)
Typescript
feathers-mongoose-acl comes with internal typescript support
Test
To test it locally please run
npm run test:local
Contribution
Any type of contribution is welcomed, feel free to pm me 💓