Authorization
April 17, 2019 ยท View on GitHub
It is possible to reject requests by specifying a condition with the authorize
configuration property.
authorize uses the same format as the
filter query
argument, except
parameters, including
server-specific parameters,
are specified instead of collection's attributes.
In the example below, delete commands will be rejected.
authorize:
command:
_neq: delete
With authorize, one can define
role-based access control
or other authorization design.
The example below gives read-only permissions to the reader group, read-write
permissions to the manager group, and full permissions to the admin group.
authorize:
- command: find
user_group: reader
- command:
_in: [find, patch]
user_group: manager
- user_group: admin
It is also possible to directly use functions.
authorize:
params:
key: (getSecretKey())
Collection authorization
One can specify collection-specific authorization with the
collection.authorize
configuration property.
The format is the same as authorize, except model can also be used.
In the example below, requests on example_collection will be rejected unless
example_collection.age is over 30 or example_collection.public is true.
collections:
example_collection:
authorize:
- model:
age:
_gte: 30
- model:
public: true
If the model is being modified, attributes are checked both before and after
modification. In other words, it is checked on both previousmodel and model
parameters.
In the example below, requests will be prevented from fetching any
example_collection with example_collection.locked true. It will also
prevent requests from setting example_collection.locked to true or creating
such a model.
collections:
example_collection:
authorize:
model:
locked: false
Using this feature allows you to define access control lists restricting the permissions of a model based on the value of its attributes.
Functions cannot use the parameters
model, value, previousmodel nor previousvalue. However, it is possible
to target another attribute by using a model.ATTRIBUTE string as value.
In the example below, requests will be rejected on any example_collection
unless example_collection.created_time equals
example_collection.updated_time.
collections:
example_collection:
authorize:
model:
created_time: model.updated_time
Readonly attributes
Readonly attributes cannot be modified. Trying to do so won't report any error, but the attribute value will not change.
They can be specified using attribute.readonly.
collections:
example_collection:
attributes:
example_attribute:
readonly: true
An attribute can be readonly based on a condition, by using a
function in attribute.readonly.
In the example below, the model's name attribute will be readonly only if its
locked attribute is true.
collections:
example_collection:
attributes:
name:
readonly: (model.locked === true)
locked:
type: boolean