• Stars
    star
    2,620
  • Rank 17,478 (Top 0.4 %)
  • Language
    JavaScript
  • Created over 13 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Access control lists for node applications

NODE ACL - Access Control Lists for Node

This module provides a minimalistic ACL implementation inspired by Zend_ACL.

When you develop a web site or application you will soon notice that sessions are not enough to protect all the available resources. Avoiding that malicious users access other users content proves a much more complicated task than anticipated. ACL can solve this problem in a flexible and elegant way.

Create roles and assign roles to users. Sometimes it may even be useful to create one role per user, to get the finest granularity possible, while in other situations you will give the asterisk permission for admin kind of functionality.

A Redis, MongoDB and In-Memory based backends are provided built-in in the module. There are other third party backends such as knex based, firebase and elasticsearch. There is also an alternative memory backend that supports regexps.

Follow manast for news and updates regarding this library.

Status

BuildStatus Dependency Status devDependency Status

Features

  • Users
  • Roles
  • Hierarchies
  • Resources
  • Express middleware for protecting resources.
  • Robust implementation with good unit test coverage.

Installation

Using npm:

npm install acl

Documentation

Examples

Create your acl module by requiring it and instantiating it with a valid backend instance:

var acl = require('acl');

// Using redis backend
acl = new acl(new acl.redisBackend(redisClient, prefix));

// Or Using the memory backend
acl = new acl(new acl.memoryBackend());

// Or Using the mongodb backend
acl = new acl(new acl.mongodbBackend(dbInstance, prefix));

All the following functions return a promise or optionally take a callback with an err parameter as last parameter. We omit them in the examples for simplicity.

Create roles implicitly by giving them permissions:

// guest is allowed to view blogs
acl.allow('guest', 'blogs', 'view')

// allow function accepts arrays as any parameter
acl.allow('member', 'blogs', ['edit', 'view', 'delete'])

Users are likewise created implicitly by assigning them roles:

acl.addUserRoles('joed', 'guest')

Hierarchies of roles can be created by assigning parents to roles:

acl.addRoleParents('baz', ['foo', 'bar'])

Note that the order in which you call all the functions is irrelevant (you can add parents first and assign permissions to roles later)

acl.allow('foo', ['blogs', 'forums', 'news'], ['view', 'delete'])

Use the wildcard to give all permissions:

acl.allow('admin', ['blogs', 'forums'], '*')

Sometimes is necessary to set permissions on many different roles and resources. This would lead to unnecessary nested callbacks for handling errors. Instead use the following:

acl.allow([
    {
        roles:['guest', 'member'],
        allows:[
            {resources:'blogs', permissions:'get'},
            {resources:['forums', 'news'], permissions:['get', 'put', 'delete']}
        ]
    },
    {
        roles:['gold', 'silver'],
        allows:[
            {resources:'cash', permissions:['sell', 'exchange']},
            {resources:['account', 'deposit'], permissions:['put', 'delete']}
        ]
    }
])

You can check if a user has permissions to access a given resource with isAllowed:

acl.isAllowed('joed', 'blogs', 'view', function(err, res){
    if(res){
        console.log("User joed is allowed to view blogs")
    }
})

Of course arrays are also accepted in this function:

acl.isAllowed('jsmith', 'blogs', ['edit', 'view', 'delete'])

Note that all permissions must be fulfilled in order to get true.

Sometimes is necessary to know what permissions a given user has over certain resources:

acl.allowedPermissions('james', ['blogs', 'forums'], function(err, permissions){
    console.log(permissions)
})

It will return an array of resource:[permissions] like this:

[{'blogs' : ['get', 'delete']},
 {'forums':['get', 'put']}]

Finally, we provide a middleware for Express for easy protection of resources.

acl.middleware()

We can protect a resource like this:

app.put('/blogs/:id', acl.middleware(), function(req, res, next){…}

The middleware will protect the resource named by req.url, pick the user from req.session.userId and check the permission for req.method, so the above would be equivalent to something like this:

acl.isAllowed(req.session.userId, '/blogs/12345', 'put')

The middleware accepts 3 optional arguments, that are useful in some situations. For example, sometimes we cannot consider the whole url as the resource:

app.put('/blogs/:id/comments/:commentId', acl.middleware(3), function(req, res, next){…}

In this case the resource will be just the three first components of the url (without the ending slash).

It is also possible to add a custom userId or check for other permissions than the method:

app.put('/blogs/:id/comments/:commentId', acl.middleware(3, 'joed', 'post'), function(req, res, next){…}

Methods

addUserRoles( userId, roles, function(err) )

Adds roles to a given user id.

Arguments

    userId   {String|Number} User id.
    roles    {String|Array} Role(s) to add to the user id.
    callback {Function} Callback called when finished.

removeUserRoles( userId, roles, function(err) )

Remove roles from a given user.

Arguments

    userId   {String|Number} User id.
    roles    {String|Array} Role(s) to remove to the user id.
    callback {Function} Callback called when finished.

userRoles( userId, function(err, roles) )

Return all the roles from a given user.

Arguments

    userId   {String|Number} User id.
    callback {Function} Callback called when finished.

roleUsers( rolename, function(err, users) )

Return all users who has a given role.

Arguments

    rolename   {String|Number} User id.
    callback {Function} Callback called when finished.

hasRole( userId, rolename, function(err, hasRole) )

Return boolean whether user has the role

Arguments

    userId   {String|Number} User id.
    rolename {String|Number} role name.
    callback {Function} Callback called when finished.

addRoleParents( role, parents, function(err) )

Adds a parent or parent list to role.

Arguments

    role     {String} Child role.
    parents  {String|Array} Parent role(s) to be added.
    callback {Function} Callback called when finished.

removeRoleParents( role, parents, function(err) )

Removes a parent or parent list from role.

If parents is not specified, removes all parents.

Arguments

    role     {String} Child role.
    parents  {String|Array} Parent role(s) to be removed [optional].
    callback {Function} Callback called when finished [optional].

removeRole( role, function(err) )

Removes a role from the system.

Arguments

    role     {String} Role to be removed
    callback {Function} Callback called when finished.

### removeResource( resource, function(err) )

Removes a resource from the system

Arguments

    resource {String} Resource to be removed
    callback {Function} Callback called when finished.

allow( roles, resources, permissions, function(err) )

Adds the given permissions to the given roles over the given resources.

Arguments

    roles       {String|Array} role(s) to add permissions to.
    resources   {String|Array} resource(s) to add permisisons to.
    permissions {String|Array} permission(s) to add to the roles over the resources.
    callback    {Function} Callback called when finished.

allow( permissionsArray, function(err) )

Arguments

    permissionsArray {Array} Array with objects expressing what permissions to give.
       [{roles:{String|Array}, allows:[{resources:{String|Array}, permissions:{String|Array}]]

    callback         {Function} Callback called when finished.

removeAllow( role, resources, permissions, function(err) )

Remove permissions from the given roles owned by the given role.

Note: we loose atomicity when removing empty role_resources.

Arguments

    role        {String}
    resources   {String|Array}
    permissions {String|Array}
    callback    {Function}

allowedPermissions( userId, resources, function(err, obj) )

Returns all the allowable permissions a given user have to access the given resources.

It returns an array of objects where every object maps a resource name to a list of permissions for that resource.

Arguments

    userId    {String|Number} User id.
    resources {String|Array} resource(s) to ask permissions for.
    callback  {Function} Callback called when finished.

isAllowed( userId, resource, permissions, function(err, allowed) )

Checks if the given user is allowed to access the resource for the given permissions (note: it must fulfill all the permissions).

Arguments

    userId      {String|Number} User id.
    resource    {String} resource to ask permissions for.
    permissions {String|Array} asked permissions.
    callback    {Function} Callback called with the result.

areAnyRolesAllowed( roles, resource, permissions, function(err, allowed) )

Returns true if any of the given roles have the right permissions.

Arguments

    roles       {String|Array} Role(s) to check the permissions for.
    resource    {String} resource to ask permissions for.
    permissions {String|Array} asked permissions.
    callback    {Function} Callback called with the result.

whatResources(role, function(err, {resourceName: [permissions]})

Returns what resources a given role has permissions over.

Arguments

    role        {String|Array} Roles
    callback    {Function} Callback called with the result.

whatResources(role, permissions, function(err, resources) )

Returns what resources a role has the given permissions over.

Arguments

    role        {String|Array} Roles
    permissions {String|Array} Permissions
    callback    {Function} Callback called with the result.

middleware( [numPathComponents, userId, permissions] )

Middleware for express.

To create a custom getter for userId, pass a function(req, res) which returns the userId when called (must not be async).

Arguments

    numPathComponents {Number} number of components in the url to be considered part of the resource name.
    userId            {String|Number|Function} the user id for the acl system (defaults to req.session.userId)
    permissions       {String|Array} the permission(s) to check for (defaults to req.method.toLowerCase())

backend( db, [prefix] )

Creates a backend instance. All backends except Memory require driver or database instance. useSingle is only applicable to the MongoDB backend.

Arguments

    db        {Object} Database instance
    prefix    {String} Optional collection prefix
    useSingle     {Boolean} Create one collection for all resources (defaults to false)
var mongodb = require('mongodb');
mongodb.connect("mongodb://127.0.0.1:27017/acltest", function(error, db) {
  var mongoBackend = new acl.mongodbBackend(db, 'acl_');
});

Creates a new MongoDB backend using database instance db.

var client = require('redis').createClient(6379, '127.0.0.1', {no_ready_check: true});
var redisBackend = new acl.redisBackend(client);

Creates a new Redis backend using Redis client client.

Tests

Run tests with npm (requires mocha):

 npm test

Future work

  • Support for denials (deny a role a given permission)

License

(The MIT License)

Copyright (c) 2011-2013 Manuel Astudillo [email protected]

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

More Repositories

1

bull

Premium Queue package for handling distributed jobs and messages in NodeJS.
JavaScript
15,314
star
2

redbird

A modern reverse proxy for node
JavaScript
4,384
star
3

navcodec

nodejs extension for libavcodec
C++
151
star
4

ground

Ground - MV(C/VM) Javascript Framework
JavaScript
100
star
5

Crawlme

Ajax crawling for your web application
JavaScript
67
star
6

fs.js

A higher level file system API for HTML5 FileSystem.
JavaScript
67
star
7

cabinet

A lightweight fast static file server for node loaded with useful features
JavaScript
55
star
8

fowl

A NodeJS Document Model and Query Layer for FoundationDB
JavaScript
48
star
9

dolphin

A fast, lightweight an modular library to interact with docker daemons.
JavaScript
41
star
10

livef1

Live Formula1 Service written in Nodejs
JavaScript
14
star
11

servion

A file server written in nodejs
JavaScript
9
star
12

blackbird

Confortable interfacing of event based transports
JavaScript
8
star
13

sconf

Simple Configuration for NodeJS Applications
JavaScript
7
star
14

followme

Bot to get high quality twitter followers
JavaScript
5
star
15

kashmir

NodeJS base cache optimised for medium to large data files
JavaScript
5
star
16

marlin

A lightweight file based CMS in node
JavaScript
4
star
17

wing

Realtime model synchronization
JavaScript
4
star
18

tradetonic

A website providing tools for "fibonacci trading".
JavaScript
3
star
19

db.js

IndexedDB Wrapper. Provides an easier to use, cross browser API.
JavaScript
3
star
20

resultqueue

Result queue on top of bull
JavaScript
3
star
21

castmill.com

Castmill's webpage
JavaScript
3
star
22

disturbed

A distributed event emitter for the browser and node
JavaScript
3
star
23

medroid-client

Client for medroid servers
JavaScript
2
star
24

livef1.in

Web app for Livef1.in
JavaScript
2
star
25

vre

Tiled based vector and text rendering engine.
C
2
star
26

node-adleria

Adleria (https://adleria.com) API for nodejs
JavaScript
2
star
27

docker-nfs

Dockerized NFS Server
Shell
2
star
28

ppt-converter

JavaScript
2
star
29

alacarte

Simple menu for different devices
JavaScript
2
star
30

docker-nodejs

Nodejs docker image
1
star
31

gnd-dropdown

A Gnd dropdown component
TypeScript
1
star
32

castmill-api

JavaScript
1
star
33

gnd.io

Ground Web Site
CSS
1
star
34

cfp

Nordea Corporate File Payments
JavaScript
1
star
35

marlin_old

A bi-direction realtime communication library for nodejs and the browsers
1
star
36

branches

Main repository for Optimal Bits
Objective-C
1
star
37

optimalbits.github.com

Optimal Bits Webpage
JavaScript
1
star
38

castmill-electron-old

Electron based castmill player
TypeScript
1
star
39

gnd-todomvc

TodoMVC Demo Application using Ground
JavaScript
1
star