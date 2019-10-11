Simple in-memory ACL for node.js apps. Supports arbitrary roles and resources, including role/resource detection using a simple interface. Additionally supports custom assertions for more complex rules.

Why Virgen-ACL?

Most ACLs for node.js were too complex for my taste, or required strict conventions that I didn't necessarily want/need to follow. Virgen-ACL is an attempt to provide a low-level ACL that can be used the way works best for you. It is based loosely on Zend_Acl from Zend Framework 1.x, which is one of the most flexible ACLs I've ever worked with.

All ACL rules are stored in memory, making Virgen-ACL extremely fast. Unless specified with custom assertions, there are no DB lookups when querying the ACL, allowing your app to respond as quickly as possible to ACL-gated content.

When querying the ACL, the rules are processed in LIFO order. The first rule to produce a non-empty result (i.e. not null) becomes the permission for the given role/resource/action tuple. This allows you to provide general rules first, followed by "overrides" for special cases.

Installation

npm install virgen-acl

Usage

var Acl = require ( "virgen-acl" ).Acl , acl = new Acl(); acl.addRole( "guest" ); acl.addRole( "member" , "guest" ); acl.addRole( "admin" ); acl.addResource( "blog" ); acl.deny(); acl.allow( "admin" ); acl.allow( "member" , "blog" , "comment" ); acl.allow( null , "blog" , "view" ); acl.allow( "guest" , "blog" , [ "list" , "search" ]) acl.query( "member" , "blog" , "comment" , function ( err, allowed ) { if (allowed) { } else { } }); acl.query([ "member" , "admin" ], "blog" , "create" , function ( err, allowed ) { if (allowed) { } else { } });

Role and Resource Discovery

If you are more of an object-oriented programmer and prefer to use objects to represent your roles and resources, then you're in luck! Virgen-ACL can discover roles and resources from your objects so long as your role objects contain the property role_id OR a function getRoleId() and your resource objects contain the property resource_id OR a function getResourceId() . Valid value types for role_ids are string, an array of strings, or null . Valid value types for resource_ids are null or strings. Here's an example of how that might work:

var User = ( function ( ) { User = function ( attribs ) { this .id = attribs.id || null ; } User.prototype.getRoleId = function ( ) { if ( this .id) { return "member" ; } else { return "guest" ; } } return User; })(); var Blog = ( function ( ) { Blog = function ( attribs ) { this .resource_id = "blog" ; this .status = attribs.status || "draft" ; }; return Blog; })(); var userA = new User(); userA.getRoleId(); var userB = new User({ id : 123 }); userB.getRoleId(); var blog = new Blog(); blog.resource_id; var acl = new Acl(); acl.addRole( "guest" ); acl.addRole( "member" , "guest" ); acl.allow( "guest" , "blog" , "view" ); acl.allow( "member" , "blog" , "comment" ); acl.query(userA, blog, "view" , function ( err, allowed ) { assert(allowed == true ); }); acl.query(userA, blog, "comment" , function ( err, allowed ) { assert(allowed == false ); }); acl.query(userB, blog, "view" , function ( err, allowed ) { assert(allowed == true ); }); acl.query(userB, blog, "comment" , function ( err, allowed ) { assert(allowed == false ); });

Custom Assertions

Sometimes you need more complex rules when determining access. Custom assertions can be provided to perform additional logic on each matching ACL query: