Awesome
share-access
Access-control plugin for sharejs, racer and derby
Instalation
- Install:
npm install share-access
Usage
Plug in the middleware:
var shareAccess = require('share-access');
// plug in
shareAccess.setup(shareInstance);
// Or
derby.use(shareAccess);
// Or
racer.use(shareAccess);
Using share-access you can control create, read, update, and delete
database operation for every collection. You can use two types of rules:
allow and deny. By default all the operations are denied. So, you should
add some rules to allow them. If at least one allow-rule allows the write, and
no deny-rules deny the write, then the write is allowed to proceed.
You can call allow and deny-rules as many times as you like. The functions
should return true if they think the operation should be allowed for allow
rules and denied for deny-rules. Otherwise they should return false, or
nothing at all (undefined).
Create
// Allow create-operation for collection 'items'
// docId - id of your doc for access-control
// doc - document object
// session - your connect session
shareAccess.allowCreate('items', function(docId, doc, session){
return true;
});
// Deny creation if user is not admin
shareAccess.denyCreate('items', function(docId, doc, session){
return !session.isAdmin;
});
// So, finally, only admins can create docs in 'items' collection
// the same results is if you just write:
shareAccess.allowCreate('items', function(docId, doc, session){
return session.isAdmin;
});
Read
Interface is like create-operation
shareAccess.allowRead('items', function(docId, doc, session){
// Allow all operations
return true;
});
shareAccess.denyRead('items', function(docId, doc, session){
// But only if the reader is owner of the doc
return doc.ownerId !== session.userId;
});
Delete
Interface is like create-operation
shareAccess.allowDelete('items', function(docId, doc, session){
// Only owners can delete docs
return doc.ownerId == session.userId;
});
shareAccess.denyDelete('items', function(docId, doc, session){
// But deny deletion if it's a special type of docs
return doc.type === 'liveForever';
});
Update
// docId - id of your doc for access-control
// oldDoc - document object (before update)
// newDoc - document object (after update)
// path - array of update path segments - f.e = ['name'] if we are
// changing doc.name
// session - your connect session
shareAccess.allowUpdate('items', allowUpdateAll);
function allowUpdateAll(docId, oldDoc, newDoc, path, session){
return true;
}
shareAccess.denyUpdate('items', denyForNonAdmin);
function denyForNonAdmin(docId, oldDoc, newDoc, path, session){
// If you are not an admin you can change only 'description'
return !session.isAdmin && path[0] !== 'description';
}
MIT License
Copyright (c) 2014 by Artur Zayats
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.