Simple role and service method permissions for Feathers
Note: This module implements a hook simple role and service method based permissions checked against the permissions in a user (entity) object. More complex requirements can already be implemented as custom Feathers hooks. See here and here for more information.
npm install feathers-permissions --save
Important: The
feathers-permissionshook should be used after theauthenticate()hook by @feathersjs/authentication.
const feathers = require('@feathersjs/feathers');
const memory = require('feathers-memory');
const checkPermissions = require('feathers-permissions');
const app = feathers();
app.use('/messages', memory());
app.service('messages').hooks({
before: checkPermissions({
roles: [ 'admin', 'messages' ]
})
});
// User from the database (e.g. added via @feathersjs/authentication)
const user = {
email: '[email protected]',
permissions: [ 'messages:find', 'messages:get' ]
// Also possible
permissions: 'messages:find,messages:get'
}
const admin = {
email: '[email protected]',
permissions: [ 'admin:*' ]
}
// Will pass
app.service('messages').find({
provider: 'rest', // this will be set automatically by external calls
user
});
// Will fail
app.service('messages').create({
provider: 'rest', // this will be set automatically by external calls
user
});
// Will pass
app.service('messages').create({
provider: 'rest', // this will be set automatically by external calls
user: admin
});Feathers permissions allows you to grant and manage permissions in a flexible nature. Each object that requires permissions must have an array or a comma separated string of permissions stored on it (typically in your database).
The following options are available:
roles- A list of roles to check or a function that takes the hookcontextand returns a list of rolesentity(default:user) - The name of the entity (params[entity])field(default:permissions) - The name of the permissions field. Can be a comma separated string of permissions or an array or permissions.error- If set tofalsewill not throw aForbiddenerror but instead setparams.permittedtotrueorfalse. Useful for chaining permission hooks.
The list of permissions will be obtained from params[entity][field]. It can be a comma separate list or an array of permissions in the following format:
*- Allow everything${role}:*- Allow every service method (find,get,create,update,patch,remove) forrole*:${method}- Allowmethodservice method for any role${role}:${method}- Allowmethodservice method forrole
This means the following use of feathers-permissions:
app.service('messages').hooks({
before: checkPermissions({
roles: [ 'admin', 'user' ]
})
});Will allow user permissions containing *, admin:*, user:* and the service method that is being called (e.g. admin:create or user:find and *:create and *:find).
The following will create a dynamic role based on the hook context.path:
app.service('messages').hooks({
before: checkPermissions({
roles(context) {
return [ 'admin', context.path ];
}
})
});Roles can also be assembled asynchronously:
app.service('messages').hooks({
before: checkPermissions({
async roles(context) {
const { user } = context.params;
const roles = await app.service('roles').find({
query: {
userId: user._id
}
});
return roles.data;
}
})
});To conditionally either allow access by permission or otherwise restrict to the current user, a combination of feathers-permissions - setting the error option to false - feathers-authentication-hooks and feathers-hooks-common#iff (checking for params.permitte) can be used:
app.service('messages').hooks({
before: {
find: [
checkPermissions({
roles: ['super_admin', 'admin'],
field: 'role',
error: false
}),
iff(context => !context.params.permitted,
restrictToOwner({ idField: '_id', ownerField: '_id'})
)
]
}
});Copyright (c) 2018
Licensed under the MIT license.
![greenkeeper[bot] avatar](https://avatars.githubusercontent.com/in/505?v=4 "greenkeeper[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent