access-control-rules
Access control for hierarchical data.
Why
Factored out of a hyperbase server implementation.
How
Make some rules:
var rules = {
' .read ' : true ,
things : {
' $id ' : {
' .read ' : function ( cb ) {
cb ( null , this . id === ' 0 ' )
} ,
' .write ' : function ( value , cb ) {
cb ( null , value && this . id === ' 0 ' )
} ,
nested : {
reserved : {
' .write ' : false
}
}
}
}
}
Then check to see if you have permission to read and write stuff:
var ac = require ( ' access-control-rules ' )
ac . read ( rules , null , ' /things/0 ' . split ( ' / ' ) , function ( err , allow ) {
} )
ac . read ( rules , null , ' /things/1 ' . split ( ' / ' ) , function ( err , allow ) {
} )
ac . write ( rules , null , ' /things/0 ' . split ( ' / ' ) , ' thing! ' , , function ( err , allow ) {
} )
ac . write ( rules , null , ' /things/1 ' . split ( ' / ' ) , ' thing! ' , function ( err , allow ) {
} )
ac . write ( rules , null , ' /things/0 ' . split ( ' / ' ) )
})
ac . write ( rules , null , ' /things/0 ' . split ( ' / ' ) , { nested : { x : 42 } } , function ( err , allow ) {
} )
ac . write ( rules , null , ' /things/0 ' . split ( ' / ' ) , { nested : { reserved : 42 } } , function ( err , allow ) {
} )
Test
$ npm test
$ npm run test-browser
(depends on a globally installed zuul )
Prior art
The idea is based on Firebase's security rules . The main important difference is that ".read" rules do not check any nested rules - this allows masking specific fields when reading objects.
License
WTFPL