franciscogouveia / hapi-rbac Goto Github PK

Example:

{
    'credentials:documents': { field: 'params:document_id' }
}

See: franciscogouveia/rbac-core#21

Is there way to write RBAC policy to restrict access (visibility) to data collection?
e.g database has collection of books and student should only see books which has particular metadata. In other words if getBooks API should return books depending on particular book metadata,

It would be great if the "onPostAuth" handler could support returning 403 (Forbidden). This would help API client's distinguish between Authentication and Authorization Failures.

This could be a config option to either hard-code the result for RbacCore.DENY, or allow a function to specify.

I would be more than happy to make the change if you are willing to accept a patch.

Please let me know.

With rbac-core v2.0.0 it is now possible to register your own asynchronous and synchronous data retrievers. With this feature you will be able to match information from a database, another Webservice, etc. depending on your implementation.

A public interface to the register from the instance of DataRetrieverRouter is not yet available in hapi-rbac.

Instead of

target: ['all-of',
  {
    type: 'username',
    value: 'fgouveia'
  },
  {
    type: 'group',
    value: 'writer'
  }
]

Do something like this for an AND condition

target: {
  username: 'fgouveia',
  group: 'writer'
}

Use an array for a combination of AND and OR condition

target: [
  {
    username: 'fgouveia',
    group: 'writer'
  },
  {
    username: 'anonymous',
    group: 'reader'
  }
]

Any chances of a new version compatible with Hapi v17?

is there any other branch, fork or other solution to work with RBAC??

@franciscogouveia excellent library!

I wanted to see if you had any thoughts on how this could be used for field-level access control?

For example, given a customer record, a business owner may have full access to the record, which includes some private meta data, where as the customer themselves may have access to everything except that private meta data.

Thanks!

firstly, thanks for your great plugin, it's the most flexible authorization plugin for hapijs.
but I'd like to be able to store the rbac setting in database and retrieve them via a promise, so admin can dynamically change the rules without restarting the server.
I think the simple way is to detect if request.route.settings.plugins.rbac a function, if yes, execute it and get a promise.

thanks in advance

I would like to be able to check some HTTP headers in the request, like the Accept-language, to determine the access right on certain routes.
Is it OK for you if I submit a PR to manage that in the request data retriever ?

// Check allowed keys
if (['method', 'path', 'headers'].indexOf(key) === -1) {
return callback();
}

Hello,
I'd like to use this library in one of my project but it says that you support Hapi 17.0 and you have hoek as one of the project dependencies (hoek is deprecated in favor of @hapi/hoek).

Are there any compatibility issues with recent versions of the Hapi framework?

Thank you for your hard work

We have a use case where we would like to be able to use RBACs at a deeper layer then hapi/http. Would you be open to extracting the core functionality into a lib?

I'll be able to help on the PR.

At the moment, it is only possible to evaluate a target based on credentials.

It would be cool to be able to evaluate also based on request information, such as remote address or domain.

In the case of having roles such as ADMIN, MANAGER, REP, USER while defining the lower tier of rules
for a User in this case:

{
    target: ['any-of',
        {type: "role", value: "ADMIN"},
        {type: "role", value: "MANAGER"},
        {type: "role", value: "REP"},
        {type: "role", value: "USER"},
    ],
    effect: 'permit'    
}

it appears that I must do an 'any-of' and supply every more privileged role in the rule.
Is there a method of defining that ADMIN > MANAGER > REP > USER, allowing something akin to a greater-than or equal to rule type: "role", gte: "USER"

Example:

target: {
    'credentials:field.subfield': 'value'
}

I am quite newbie for using hapi js.

i want to create dynamic policy using mysql database,
Whenever i write callback function it gives me error,
can you please provide me some example for the same? also how to write callback

server.register({
register: require('hapi-rbac'),
options: {
policy: function (request, callback) {
var roles = request.auth.credentials.group;

    var pol = "{ \n\t target: ['any-of', ";
     for(var i = 0; i<roles.length ; i++){
        pol = pol+ "{type: 'credentials:group', value: '"+roles[i]+"'}, ";
    } 
        pol = pol.substring(0, pol.length-2);

    pol = pol+" ], \n\t apply:  'permit-overrides', \n\t rules: [\n\t\t{\n\t\t\t target: ['any-of', {type: 'credentials:group', value: 'admin'}], \n\t\t\t effect: 'permit'\n\t\t}\n\t]\n}";

    //callback(null, pol);
    return callback(null, pol);
}

}
}, function(err) {
if(err){
throw err; }
});

Please suggest me any solution...

Hi!
I cant realy understand the way the target is tested against the real value.

After define this rule

{ target: { 'credentials.roles.recruiter': undefined },
  effect: 'deny'
},
{ effect: 'permit' }

I expect that

{ credentials: {
      roles: {
          recruiter: {}
      }
  }
}

Would resolve to credentials.roles.recruiter = "Object" (or something not undefined)
And the rule would deny the access.

Why is my rule denying the access to that case?