mongoose-acl

A Mongoose plugin for access control protection in models. The plugin offers the ability to define functions which can return whether a user has access to perform an action or query. The plugin does provide Express middleware, but Express is not required for use with the plugin.

Working With

Requirements

• NodeJS 6 LTS
• other requirements

Installing

Install the package using your JS package manager of choice, such as npm or yarn.

For example, with npm or yarn:

$ npm install --save @bouncingpixel/mongoose-acl

$ yarn add @bouncingpixel/mongoose-acl

Using mongoose-acl

The plugin requires an options object with the four required functions: canCreate, canRead, canUpdate, and canDelete. Each function is called with this context set to the Model.

In general, the return of each function can be a boolean or the fields which the user may access or manipulate. When referring to a create or update action, the term access will also mean ability to set or alter.

• If the return is falsey (false, null, undefined), then no access is allowed.
• If the return is exactly true, all access is allowed.
• If the return is an array of field names, then only those fields can be accessed.
• If the return is an object with the key allow set to an array of field names, then only those fields can be accessed.
• If the return is an object with the key disallow set to an array of field names, then all other fields except these can be accessed.
• If the return is an object with both keys allow and disallow set to arrays of field names, then any item within disallow is removed from allow, and the resulting set is the fields which may be accessed.
• In the event an empty array is specified, then the user has no access.

There are two deviations from these rules:

• canRead also allows a query key in the returned object. This key must be a function which receives one parameter, the query from Mongoose. This allows the ACL rule to automatically add to the query to enhance security.

• canDelete is only a true or false situation. You cannot delete some fields and not others. Any falsey value (false, null, undefined) will prevent the deletion. Any non-falsey value, including an array whether empty or non-empty, will be assumed to be true and allow the delete to continue.

canCreate(req: Request, document: MongooseDocument<Model>): RuleSpec
canRead(req: Request, query: MongooseQuery): ReadRuleSpec
canUpdate(req: Request, document: MongooseDocument<Model>): RuleSpec
canDelete(req: Request, document: MongooseDocument<Model>): DeleteRuleSpec

The rules will be enforced using hooks, thus it is possible to bypass a security rule by ignoring hooks for a specific action. Note: At this time, there are some functions which do not cause hooks to be called. For example, Model.remove in Mongoose does not call the remove hook.

The canCreate and canUpdate rely on the pre-validation hook. For the use case where a rule limits which fields a user may access, but the system should auto-generate values for the field, one may use a pre-validation or a pre-save hook that must be added to the Schema after the plugin. If you require your pre-validation hook to perform actions that must also be ACL protected, then define your pre-validation hook before the plugin is added.

By default, the hooks will not permit any action which generates hooks until a protected instance of the model is created. To create a protected instance, you must pass in a request object, which can actually be any object which will be passed to the rule definitions to test the access level of a request.

A static method on the Model, .protect(req) exists to generate a protected instance. In the current version, protect will modify the req object to set req.protectedModels and uses that as a cache for all protected models. Calling .protect(req) with the same req object multiple times will use the cached protected-model, unless req cannot be modified.

Express Middlewares

There are also a number of Express middleware which can optionally be utilized.

The protect method is also a middleware, .protect(req, res, next), and can mounted to automatically add a protected model to the req object.

Read middlewares

makeReadMany(options) and makeReadOne(options) will create a middleware for reading. The two are separate middlewares as fetching a list and fetching a single instance are different actions and generally are attached to different routes.

makeReadOne(options) can make use of req.params.id to read one document based on the ObjectID. Otherwise, this may use the same where, sort, and offset. Any limits set will be ignored and only one document will be returned.

All options are optional. The options which can be passed in are as follows:

initialWhere: any // the where clause which is appended to any specified by the used
initialSort: any // the sort clause which is appended to any specified by the used

initialLimit: Number // the default limit to use
initialOffset: Number // the default offset to use

// all of the next ones default to false
canExtendWhere: Boolean // if the user may use req.query.where to set the query
canExtendSort: Boolean // if the user may use req.query.sort to set the sort
canSetLimit: Boolean // if the user may set req.query.limit to set the limit
canSetOffset: Boolean // if the user may set req.query.offset to set the offset

resLocalsField: String // what field to set the data to in res.locals, defaults to data

Create middleware

makeCreate(options) creates the middleware for document creation. The middleware expects the data to use for creation will be in req.body[incomingDataField] where incomingDataField is either the option set or the model name used when creating the model: mongoose.model('modelName', MySchema).

All options are optional. The options which can be passed in are as follows:

resLocalsField: String // what field to set the data to in res.locals, defaults to data

incomingDataField: String // what field in req.body the updated data will be in

If the model defines an static method deserializeForm(originalDocument?), that function will be used to manipulate the data at req.body[incomingDataField]. There is no originalDocument for create, unlike update. The function can return a Promise or run synchronously. The middleware will expect req.body[incomingDataField] to contain the final data used to perform the create.

Update middlewares

makeUpdate(options) creates the middleware for document updates based on ID. The middleware expects the _id of the item to be updated to be in req.params.id. The middleware expects the data to use for creation will be in req.body[incomingDataField] where incomingDataField is either the option set or the model name used when creating the model: mongoose.model('modelName', MySchema).

The default updater currently uses a shallow merge method. Any field not defined or set to undefined will not be merged, thus keeping the original value. Any objects or arrays will be set as-is and will not be merged with their counterparts in the document. The updater can be changed with the option mergeUpdates.

If the model defines an static method deserializeForm(originalDocument?), that function will be used to manipulate the data at req.body[incomingDataField]. The original document before updates is provided. The function can return a Promise or run synchronously. The middleware will expect req.body[incomingDataField] to contain the final data used to perform the update. When using the default updater, this function can set fields to undefined in order to preserve the original value.

All options are optional. The options which can be passed in are as follows:

mergeUpdates(document: MongooseDocument<Model>, updates: any, req: Request): Promise?

resLocalsField: String // what field to set the data to in res.locals, defaults to data

incomingDataField: String // what field in req.body the updated data will be in

Delete middlewares

makeDelete(options) creates the middleware for deleting documents by ID. The middleware expects the _id of the item to be deleted to be in req.params.id. The only option available is resLocalsField which defines the field in res.locals that will contain the deleted instance.