Sails.js Policies, is there an OR operator to allow an action if one of a group of policies succeeds?

Question

When configuring policies in sails in config/policies.js such as:

    ActivityController: {
        create: ['authenticated'],
        update: ['authenticated', 'isActivityOwner'],
        destroy: ['authenticated' ,'isActivityOwner']
    }

Is there any functionality that would allow me to grant access to the action provided one or more of a group of policies succeeds maybe something like:

    ActivityController: {
        create: ['authenticated'],
        update: ['authenticated', {or:['isActivityOwner', 'isAdmin']}],
        destroy: ['authenticated' ,'isActivityOwner']
    }

Alternatively is it possible to create composite policies so that in one policy I may check one or more other policies?

If both of these options seem like poor solutions, can you suggest an approach that would would be considered better practice?

Forgive me if this is a bit obvious but I'm fairly new to sails and node in general, and thanks in advance for any help!

score 11 · Accepted Answer · answered Nov 22 '13 at 01:00

11

I haven't found any official support for operators in sails policies but here is what I am doing.

ActivityController: {
    update: ['authenticated', 'orActivityOwner', 'orAdmin', orPolicy],
}

Both orActivityOwner and orAdmin return next() as if they are valid. But they also set a boolean value to a session variable. Remember, policies are executed from left to right. I added an orPolicy to the end which will then evaluate the state of our session variable.

answered Nov 22 '13 at 01:00

Travis

636
8
11

2

This is a usable workaround but I think it's a bit messy. Maybe it would be better if one could supply an object with an operator such as `{ operator: 'OR', policies: ['ActivityOwner','Admin']}`. I think that would be more flexible. I'll take a peek at the code and maybe ask the sails team if they would be interested in this approach. Thanks for the workaround though! – AggggggghFuuuuuuuuuuuuu Dec 10 '13 at 14:10
Excellent Workaround. You can also chooser parts that are absolutely required for instance: isLoggedIn you can just hit the res.redirect right there, and any other policies that are "Or" keeps getting passed until it hits orPolicy for evaluation. – geilt May 12 '14 at 18:29
you advice force to provide a lot of files in policy directory. For each right you have to create Or, And, Is. So if you have for example admin and user it will have 6 separate rights. – 1nstinct Nov 06 '15 at 15:48
Good solution @Travis – kaxi1993 Feb 04 '17 at 19:03

score 7 · Answer 2 · answered Aug 31 '15 at 15:27

7

check out sails-must:

ActivityController: {
    create: 'authenticated',
    update: ['authenticated', must().be.the.owner.or.be.a.member.of('admins')],
    destroy: ['authenticated', must().be.the.owner]
}

answered Aug 31 '15 at 15:27

cludden

71
1
1

score 5 · Answer 3 · answered Jun 21 '15 at 19:07

5

I've created a sails hook to be able to add parameters to policies:
https://github.com/mastilver/sails-hook-parametized-policies

I've setup an example where I defined an or policy:

module.exports = function(firstPolicy, secondPolicy){

    return function(req, res, next){


        var fakeRes = {};

        for(var i in res){
            if(i === 'forbidden'){
                // override the functions you want the `or` factory to handle
                fakeRes[i] = function(){
                    secondPolicy(req, res, next);
                };
            }
            else{
                fakeRes[i] = res[i];
            }
        }


        firstPolicy(req, fakeRes, next);
    }
}

Which you can use that way:

ActivityController: {
        create: ['authenticated'],
        update: ['authenticated', 'or(isActivityOwner, isAdmin)'],
        destroy: ['authenticated' ,'isActivityOwner']
    }

answered Jun 21 '15 at 19:07

mastilver

665
6
18

Your answer is workable. I've made minor modifications to your code, which provide ability to pass thirdPolicy. https://gist.github.com/1nstinct/12399f8adc4e5cfd6e88 – 1nstinct Nov 06 '15 at 15:40
@1nstinct the ideal would be to use a recursive function so it can handle as many policy as possible Feels free to send me a PR to update the readme – mastilver Nov 30 '15 at 21:12
1

@1nstinct Pull request on Github – Kiksy Jan 21 '16 at 15:31
@mastilver I've made modifications, that provide ability to send any count of policies as arguments. https://gist.github.com/1nstinct/12399f8adc4e5cfd6e88 – 1nstinct Jun 10 '16 at 10:18
@1nstinct Could you send me pull request to https://github.com/mastilver/sails-hook-parametized-policies to update the readme (easier to talk there) Just replace my `or.js` example with a link to your gist – mastilver Jun 10 '16 at 15:21

score 1 · Answer 4 · answered Mar 18 '15 at 09:43

Just to complete the previous answer, that works like a charm :

Piece of information

But they also set a boolean value to a session variable

I myself prefer setting this boolean to the req object, that :

Is more semantic (access granted or not to ressource for the request, not for entire session)
Does not requires me to manually reset this variable (I should add that, if you DO want to use session like in @Travis solution , the last orPolicy policy must reset (even unset) the variable in order to protect the next request)

My implementation

config/policies.js :

MyController: {
  find: ['orIsTest1', 'orIsTest2', 'protectedResourceGranted']
}

api/policies/orIsTest1.js :

module.exports = function(req, res, next) {
  req.protectedResourceGranted = req.protectedResourceGranted || WHATEVERFIRSTTEST;

  return next();
};

api/policies/orIsTest2.js

module.exports = function(req, res, next) {
  req.protectedResourceGranted = req.protectedResourceGranted || WHATEVERSECONDTEST;

  return next();
};

api/policies/protectedResourceGranted.js

module.exports = function(req, res, next) {
  if(req.protectedResourceGranted) {
    return next();
  }

  return res.forbidden();
};

NB: Just answering 'cause I haven't got enough reputation to comment.

pejalo · Answer 5 · 2015-03-31T18:55:02.370

The other answers here work great, but here is an implementation that I find slightly cleaner.

Instead of creating policies designed for an OR situation that call next() even though they should fail, you can modify your existing policies to use in an AND/OR context, while hardly changing their behavior. Then create a composite policy (like the OP suggested) that checks the modified existing policies.

config/policies.js with example controllers and policies:

AdminController: {
  adminDashboard: 'isAuthenticated',
},

ItemController: {
  findOne: 'isPublishedOrIsAuthenticated'
}

api/policies/isAuthenticated.js and api/policies/isPublished.js and any other policy you want to use as a part of an AND/OR check:

If next was set to the true boolean (as opposed to a callback), just return true or false before the policy would normally return next(), res.notFound(), etc.

module.exports = function(req, res, next) {
  // do some checking
  if(next === true) return true; // or return false
  return next();
};

Note that we need to use the triple-equals sign here.

api/policies/isPublishedOrIsAuthenticated.js

module.exports = function(req, res, next) {
  var isPublished = require('./isPublished.js');
  var isAuthenticated = require('./isAuthenticated.js');

  // This reads like what we are trying to achieve!
  // The third argument in each call tells the function to return a boolean
  if(isPublished(req, res, true) || isAuthenticated(req, res, true))
    return next();

  return res.notFound();
};

Someone knows any better way than `require` to manualy invoke a policy — Cyril CHAPON, Jun 09 '15 at 08:33

Sails.js Policies, is there an OR operator to allow an action if one of a group of policies succeeds?

5 Answers5

Piece of information

My implementation