franciscogouveia / hapi-rbac Goto Github PK
View Code? Open in Web Editor NEWRBAC (Rule Based Access Control) for hapijs
License: ISC License
RBAC (Rule Based Access Control) for hapijs
License: ISC License
Example:
{
'credentials:documents': { field: 'params:document_id' }
}
Is there way to write RBAC policy to restrict access (visibility) to data collection?
e.g database has collection of books and student should only see books which has particular metadata. In other words if getBooks API should return books depending on particular book metadata,
It would be great if the "onPostAuth" handler could support returning 403 (Forbidden). This would help API client's distinguish between Authentication and Authorization Failures.
This could be a config option to either hard-code the result for RbacCore.DENY, or allow a function to specify.
I would be more than happy to make the change if you are willing to accept a patch.
Please let me know.
With rbac-core
v2.0.0 it is now possible to register your own asynchronous and synchronous data retrievers. With this feature you will be able to match information from a database, another Webservice, etc. depending on your implementation.
A public interface to the register
from the instance of DataRetrieverRouter
is not yet available in hapi-rbac
.
Instead of
target: ['all-of',
{
type: 'username',
value: 'fgouveia'
},
{
type: 'group',
value: 'writer'
}
]
Do something like this for an AND
condition
target: {
username: 'fgouveia',
group: 'writer'
}
Use an array for a combination of AND
and OR
condition
target: [
{
username: 'fgouveia',
group: 'writer'
},
{
username: 'anonymous',
group: 'reader'
}
]
Any chances of a new version compatible with Hapi v17?
is there any other branch, fork or other solution to work with RBAC??
@franciscogouveia excellent library!
I wanted to see if you had any thoughts on how this could be used for field-level access control?
For example, given a customer
record, a business owner may have full access to the record, which includes some private meta data, where as the customer themselves may have access to everything except that private meta data.
Thanks!
firstly, thanks for your great plugin, it's the most flexible authorization plugin for hapijs.
but I'd like to be able to store the rbac setting in database and retrieve them via a promise, so admin can dynamically change the rules without restarting the server.
I think the simple way is to detect if request.route.settings.plugins.rbac
a function, if yes, execute it and get a promise.
thanks in advance
I would like to be able to check some HTTP headers in the request, like the Accept-language, to determine the access right on certain routes.
Is it OK for you if I submit a PR to manage that in the request data retriever ?
// Check allowed keys
if (['method', 'path', 'headers'].indexOf(key) === -1) {
return callback();
}
Hello,
I'd like to use this library in one of my project but it says that you support Hapi 17.0 and you have hoek as one of the project dependencies (hoek is deprecated in favor of @hapi/hoek).
Are there any compatibility issues with recent versions of the Hapi framework?
Thank you for your hard work
We have a use case where we would like to be able to use RBACs at a deeper layer then hapi/http. Would you be open to extracting the core functionality into a lib?
I'll be able to help on the PR.
At the moment, it is only possible to evaluate a target based on credentials.
It would be cool to be able to evaluate also based on request information, such as remote address or domain.
In the case of having roles such as ADMIN, MANAGER, REP, USER while defining the lower tier of rules
for a User in this case:
{
target: ['any-of',
{type: "role", value: "ADMIN"},
{type: "role", value: "MANAGER"},
{type: "role", value: "REP"},
{type: "role", value: "USER"},
],
effect: 'permit'
}
it appears that I must do an 'any-of' and supply every more privileged role in the rule.
Is there a method of defining that ADMIN > MANAGER > REP > USER, allowing something akin to a greater-than or equal to rule type: "role", gte: "USER"
Example:
target: {
'credentials:field.subfield': 'value'
}
I am quite newbie for using hapi js.
i want to create dynamic policy using mysql database,
Whenever i write callback function it gives me error,
can you please provide me some example for the same? also how to write callback
server.register({
register: require('hapi-rbac'),
options: {
policy: function (request, callback) {
var roles = request.auth.credentials.group;
var pol = "{ \n\t target: ['any-of', ";
for(var i = 0; i<roles.length ; i++){
pol = pol+ "{type: 'credentials:group', value: '"+roles[i]+"'}, ";
}
pol = pol.substring(0, pol.length-2);
pol = pol+" ], \n\t apply: 'permit-overrides', \n\t rules: [\n\t\t{\n\t\t\t target: ['any-of', {type: 'credentials:group', value: 'admin'}], \n\t\t\t effect: 'permit'\n\t\t}\n\t]\n}";
//callback(null, pol);
return callback(null, pol);
}
}
}, function(err) {
if(err){
throw err; }
});
Please suggest me any solution...
Hi!
I cant realy understand the way the target
is tested against the real value.
After define this rule
{ target: { 'credentials.roles.recruiter': undefined },
effect: 'deny'
},
{ effect: 'permit' }
I expect that
{ credentials: {
roles: {
recruiter: {}
}
}
}
Would resolve to credentials.roles.recruiter
= "Object" (or something not undefined
)
And the rule would deny the access.
Why is my rule denying the access to that case?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.