GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → jesperbruunhansen → loopback-object-acl

jesperbruunhansen / loopback-object-acl

Licence: MIT license
Object-level ACL for Loopback Node.js framework

Programming Languages

javascript
184084 projects - #8 most used programming language

Labels

aclloopbackhelp-wantedloopback-mixin

Projects that are alternatives of or similar to loopback-object-acl

Colmena
Colmena is a starter kit for an API with an Admin interface that can be easily extended and built upon.
Stars: ✭ 1,420 (+10823.08%)
Mutual labels:  loopback, help-wanted
loopback-ds-paginate-mixin
A mixin to provide pagination for loopback Model properties
Stars: ✭ 31 (+138.46%)
Mutual labels:  loopback, loopback-mixin
Loopback Component Access Groups
Access controls for Loopback.
Stars: ✭ 56 (+330.77%)
Mutual labels:  acl, loopback
loopback-paginator
No description or website provided.
Stars: ✭ 13 (+0%)
Mutual labels:  loopback, loopback-mixin
loopback-component-mq
Loopback Component for working with a Message Queue
Stars: ✭ 19 (+46.15%)
Mutual labels:  acl, loopback
egov
eGov España - API abierto de acceso a datos púbicos
Stars: ✭ 21 (+61.54%)
Mutual labels:  help-wanted
caddy-security
🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
Stars: ✭ 696 (+5253.85%)
Mutual labels:  acl
generator-loopback-module
Module generation for loopback framework
Stars: ✭ 13 (+0%)
Mutual labels:  loopback
mrnet
Building an ACL tear detector to spot knee injuries from MRIs with PyTorch (MRNet)
Stars: ✭ 98 (+653.85%)
Mutual labels:  acl
AnkiSharp
Create anki decks and cards from your C# application
Stars: ✭ 39 (+200%)
Mutual labels:  help-wanted
loopback-row-count-mixin
A loopback mixin to get total count of a model
Stars: ✭ 13 (+0%)
Mutual labels:  loopback-mixin
rbac-tool
Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query
Stars: ✭ 546 (+4100%)
Mutual labels:  acl
Imgbot
An Azure Function solution to crawl through all of your image files in GitHub and losslessly compress them. This will make the file size go down, but leave the dimensions and quality untouched. Once it's done, ImgBot will open a pull request for you to review and merge. [email protected]
Stars: ✭ 1,017 (+7723.08%)
Mutual labels:  help-wanted
consul-acl-client-tutorial
Example how to configure and use Consul client agent with ACL
Stars: ✭ 26 (+100%)
Mutual labels:  acl
laravel-zend-acl
Adds ACL to Laravel via Zend\Permissions\Acl component.
Stars: ✭ 41 (+215.38%)
Mutual labels:  acl
nuxt-loopback
Nuxt + Loopback template
Stars: ✭ 11 (-15.38%)
Mutual labels:  loopback
please
please, a sudo clone
Stars: ✭ 40 (+207.69%)
Mutual labels:  acl
gfwlist.acl
🌐gfwlist in acl format, compatible with SSR, update daily by travis CI
Stars: ✭ 48 (+269.23%)
Mutual labels:  acl
nova-permissions
Add Permissions based authorization for your Nova installation via User-based Roles and Permissions. Roles are defined in the database whereas Permissions are defined in the code base.
Stars: ✭ 115 (+784.62%)
Mutual labels:  acl
portecle
User friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more
Stars: ✭ 127 (+876.92%)
Mutual labels:  help-wanted
View All Similar Projects ➔

loopback-object-acl

Loopback provides great "class-level" ACL's for restricting access to a whole Model or its mehods, but greatly lacks the ability to restric access to individual objects. This project tries to solve this, by setting object-level ACL's on each object, and manipulates Loopback's Query to only return objects the requesting user has access to.

Tests

CircleCI: CircleCI

Examples

User Read-level permissions

Lets say we want a Book-object only to be readable (pun intended) by 3 users (id: "aaa", id: "bbb" and id: "ccc"):

POST /api/books

{
   "title": "Clean Code",
   "subtitle": "A Handbook of Agile Software Craftsmanship",
   "_acl":{
     "r_perm": {
       "users":["aaa", "bbb", "ccc"]
     }
   }
}

The mixin will parse the object to be stored as in Mongo:

{
   id: ObjectId("123"),
   title: "Clean Code",
   subtitle: "A Handbook of Agile Software Craftsmanship",
   r: {
     u: ["aaa", "bbb", "ccc"]
     g: []
   },
   w: {
     u: [],
     g: []
   }
}

This object can now only be accessed by a user with an id of "aaa", "bbb" or "ccc" and no one else. When retrieving, the mixin will parse the object's ACL right back again:

GET /api/books/123
authorization: accessToken-aaa

returns:

{
   "id": "123"
   "title": "Clean Code",
   "subtitle": "A Handbook of Agile Software Craftsmanship",
   "_acl":{
     "r_perm": {
       "users":["aaa", "bbb", "ccc"]
     }
   }
}

Whereas requesting without permissions leads to:

GET /api/books/123
authorization: accessToken-ddd

returns:

404 Not found

Group Read-level permissions

To specifiy every user that will have access to the object can be cumbersome and timeconsuming. This is where groups come in handy.

POST /api/books

{
   "title": "Clean Code",
   "subtitle": "A Handbook of Agile Software Craftsmanship",
   "_acl":{
     "r_perm": {
       "groups":["group-id-1"]
     }
   }
}

As you've might guessed, this object is now accessible by users who has group-id-1 specified in acl_groups on the User object.

Combining Group and Read-level permissions

If user-id-1 and user-id-2 is not in group-id-1 then these users can have explicit access this way:

POST /api/books

{
   "title": "Clean Code",
   "subtitle": "A Handbook of Agile Software Craftsmanship",
   "_acl":{
     "r_perm": {
       "groups":["group-id-1"],
       "users":["user-id-1", "user-id-2"]
     }
   }
}

Public objects

If you have installed the mixin on your model but you dont specify $acl on creation of a new object, the objects visibility will be public, ex:

POST /api/books

{
   "title": "Clean Code",
   "subtitle": "A Handbook of Agile Software Craftsmanship"
}

returns

{
   "title": "Clean Code",
   "subtitle": "A Handbook of Agile Software Craftsmanship",
   "_acl":{
     "r_perm": {
       "groups":["*"],
       "users":["*"]
     },
     "w_perm": {
       "groups":["*"],
       "users":["*"]
     }
   }
}

Install

npm install --save loopback-object-acl

In model-config.json add ../node_modules/loopback-object-acl to mixins

  "_meta": {
    "sources": [
      "loopback/common/models",
      "loopback/server/models",
      "../common/models",
      "./models"
    ],
    "mixins": [
      "loopback/common/mixins",
      "loopback/server/mixins",
      "../common/mixins",
      "./mixins",
      "../node_modules/loopback-object-acl"
    ]
  }

Set ObjectAclController on what ever model you would like to protect with Object-level ACL:

book.json

{
  "name": "Book",
  "base": "PersistedModel",
  "idInjection": true,
  "options": {
    "validateUpsert": true
  },
  "mixins": {
    "ObjectAclController": {}
  }
  ...
}

CurrentUser in context

This mixins expects a currentUser object on the options object. This is not default Loopback v3.x behavior, and must be implemented before usage.

Implementation can found here: http://loopback.io//doc/en/lb3/Using-current-context.html#use-a-custom-strong-remoting-phase

Compatibility

This mixin is only tested with Loopback v3.X and using MongoDB as DataSource

TODO

Read-permissions

  • Do only return objects from database that the requesting user has access to.

Write-permissions

Version 2.0

Client

  • Set ACL on object-creation
  • Set permissions on user creation

Tests

  • ObjectAcl.js
  • CurrentUserUtil.js
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].