1.3.0 • Published 4 years ago

moleculer-middleware-permissions v1.3.0

Weekly downloads
35
License
MIT
Repository
github
Last release
4 years ago

Moleculer Middleware Permissions

Check action permissions.

codecov Travis (.com) NpmLicense npm node

Install

This module requires at least Node v8.3.0.

yarn add moleculer-middleware-permissions

Usage

// moleculer.config.js
const PermissionGuard = require('moleculer-middleware-permissions');

const guard = new PermissionGuard({options});

module.exports = {
    ...
    middlewares: [
        guard.middleware(),
    ],
};
// service.js
module.exports = {
  name: 'awesome.service',
   actions: {
       hello: {
         // The user must have both 'hello:read' AND 'hello:name'
         // You can override this behaviour by passing your 'checkFunction'
         permissions: ['hello.read', '$owner', (ctx) => ctx.call('acl.canSayHello')],
         handler (ctx) {
           const {name} = ctx.params;
           return `Hello ${name}`;
         }
       },
       me: {
          // Will check for these permissions: ['awesome.service.me']
          permissions: true,
          handler (ctx) {
            return `Hello me`;
          }
        }
     }
};

Options

  • checkFunction(current, requested): A function that return true if the request has enough permissions. Else, the return value will be send in the rejected PermissionError.
  • getPermissionsFromAction(action): Called to return an array of permissions from an action.
  • getUserPermissions(ctx): Function called to retrieve user's permissions. By default will return meta.user.permissions.

Permissions type

A string

The simplest way to add permissions is to use a list of strings, representing each a permissions, like this:

  • members.read: Can list/get/find members
  • members.write: Can update/remove/create members

It will be checked before any functions and if it allows to access, function will not be checked!

$owner

If you want the owner of the entity to be able to update it but not other ones, you can use this special permissions. It will try to call the method isEntityOwner(ctx) of your service. Returning a truthy value will act as allowed.

This method can be async.

A function

You can also provide functions to check if the user is allowed to access an action. It will be called only if strings aren't allowed first. Only one function needs to return a truthy value to be allowed!

This method can be async.

You can override this behaviour by overriding the check method the class.

License

MIT

moleculerpermissionsjwt
@infinitebrahmanuniverse/nolb-mol@everything-registry/sub-chunk-2194@zalastax/nolb-mol
2.0.0-rc0

4 years ago

1.3.0

5 years ago

1.2.0

5 years ago

1.1.0

5 years ago

1.0.0

5 years ago

0.0.2

5 years ago

0.0.1

5 years ago