Check permissions using Shiro-like strings, put in a trie.
Module for handling permissions in an Apache Shiro-like style. Permissions are stored in a Trie which makes it super performant and able to make additional queries apart from a simple permission check: it is also possible to return a list of sub-rights. For example, if you have permissions to access resources with id 1 and 2, you can simply ask which ids are accessable using a customized Shiro syntax.
$ npm install --save shiro-trie
$ bower install --save shiro-trie
var shiroTrie = require('shiro-trie');
Using the shiro-trie plugin in your web-app is pretty simple, too. First, you should include the script file to your HTML-file:
var shiroTrie = require('shiro-trie'); var account1 = shiroTrie.newTrie(); account1.add([ 'printer:xpc5000:print', 'printer:xpc4000:*', 'nas:timeCapsule,fritzbox:read' ]); account1.check('printer:xpc4000:configure'); // true account1.check('nas:timeCapsule:write'); // false account1.permissions('printer:?'); // ['xpc5000', 'xpc4000'] account1.permissions('nas:$:?'); // ['read']
See Understanding Permissions in Apache Shiro for a short introduction to Shiro Syntax. Basically, you can describe a permission hierarchy using
: as separator.
You may define multiple alternatives for a level using
, as separator.
nas:timeCapsule,fritzbox:read is the same as
You may also use the wildcard character
* to grant all permissions:
printer:*:print grants printing on any printer.
At the end, a wildcard may be omitted. Example:
printer:xpc5000 is the same as
The function for adding one or multiple permissions is
.add(…). You may set one string, a list of strings or array(s) of strings. It returns the same ShiroTrie instance for chainability.
? is no special character for single-character-wildcard, as opposed to some other Shiro libraries.
You should always check for explicit permissions (no wildcard
* or alternative
, characters). For example:
The function for checking a permission is
.check(string). It returns
Given the example above, you may want to show a list of printers the user has access to (=any sub-permission). In traditional Shiro, you will have to take the whole list and whitelist each single object using a separate permission-check call to find out if there are permissions or not.
This module has a special method with a slightly different syntax to achieve exactly that: getting objects an account has permissions to.
The syntax is basically the same as for checking permissions, but introduces two new special characters:
?. You perform a normal check, but you can swap a single part of the query with
?. This means “give me all that can stand there”.
nas:timeCapsule,fritzbox:read can be queried with
nas:? which will return
['timeCapsule', 'fritzbox']. In the same manner,
nas:?:write would return a list with all NAS devices where the
write permission is available.
$ is a special character for “any”. For example:
nas:$:? would return a list of rights the user has on any NAS device in the example above – where each is only included once. Example:
nas:$:? would return
['read', 'write', 'reboot'].
The function for checking available permissions is
.permissions(string). It returns an Array of available permission Strings. The string to check may only contain one
? character. Also note that
nas:? is the same query as
nas:?:$ (would return
var shiroTrie = require('shiro-trie');
Returns a new ShiroTrie instance.
var account1 = shiroTrie.newTrie();
Adds a new permission. Multiple permission strings can be added at once, either as argument list or as array. Even multiple array may be used as arguments. Returns the same instance for chaining.
Permission strings may contain special characters
, but not
account1.add([ 'printer:xpc5000:print', 'printer:xpc4000:*', 'nas:timeCapsule,fritzbox:read' ]);
Checks if a single permission is allowed. No special characters apart from
* are allowed.
If the permission string contains
, characters, all variants are tested and the result is only true if all permissions are allowed.
account1.check('printer:xpc4000:configure'); // true account1.check('nas:timeCapsule:write'); // false
Retrieves a list of available permissions at a certain position in the permission Trie.
Expects a permission string containing
?. Additionally, the any operator
$ can be used.
account1.permissions('printer:?'); // ['xpc5000', 'xpc4000'] account1.permissions('nas:$:?'); // ['read']
Empties the Trie and returns it. New permissions can be added using
Tests can be executed with Mocha:
$ mocha -R spec
Current Test Coverage:
It can be checked with istanbul:
$ istanbul cover _mocha -- -R spec
permissions(…)and one case in
_checkis implemented recursive which is probably not ideal
MIT © entrecode GmbH