4

I have been working on a project where i need to create and assign policies according to access rights/levels to user in sails.js

Each user can access all levels below his level, like admin has an level 9 and he can access all levels below level 9

Currently in sails all policies are stored in

api/policies

folder and are assigned to controller in

config/policies.js 

module.exports.policies = {

UserController: {
    "create": ['canCreate'],
    "list": ['canRead'],
    "show": ['canRead'],
},
AuthController: {
    '*': true,
}};

My Question is how can i make dynamic policies based on access levels coming in from db

I have googled it but found nothing on how to create dynamic policies in sails.js, so posting here.

Appreciate your help on this.

Thanks

Adarsh Nahar
  • 319
  • 3
  • 10

4 Answers4

2

Check out sails-permissions.

Comprehensive user permissions and entitlements system for sails.js and Waterline. Supports user authentication with passport.js, role-based permissioning, object ownership, and row-level security.

Travis Webb
  • 14,688
  • 7
  • 55
  • 109
1

A simple method would be to create a policy for each access level.

policies/level01.js policies/level02.js ect . . .

your policy file will check their session/token to make sure they meet the criteria of that policy.

policies/level01.js

module.exports = function(req,res,next){
 if(req.session.accessLevel = 1) return next();
 return res.forbidden();
}

Then in your config

module.exports.policies = {
UserController: {
    "create": ['policyXX.js'],
    "list": ['policyXX.js'],
    "show": ['policyXX.js'],
},
AuthController: {
    '*': true,
}};

Start with something like this that can familiarize with out these policies work and build up from there. It is always very important to know and understand exactly how your security works.

Meeker
  • 5,979
  • 2
  • 20
  • 38
  • how would i call policies according to level in config as each user can have different access level? – Adarsh Nahar Apr 21 '15 at 15:00
  • you call the policies based on the restriction of the end point. So if UserController.create is limited to those with level 4 for example, then in the above example you will put ['policy04.js'] on the create action and then have policy04.js check to make sure that they are indeed at level 4. – Meeker Apr 21 '15 at 16:04
1

The solution of @Travis Webb is a nice one. You also can create model roles and a model permission linked by relations (one to many, many to many ....) as you wish and then filter them with a policy like that:

Example: 

module.exports = function isAdmin (req, res, next) {
    if (typeof req.session.User != "undefined") {
    User.findOne(req.session.User.id).populate('roles').exec(function(err,user){
           if(err) return res.forbidden('You are not permitted to perform this action.');
           if(!user) return res.redirect('/user/new');
           for(var i in user.roles){
                if(user.roles[i]['name'] == 'ROLE_ADMIN'){
                    return next();
                }
           }
           return res.redirect('/user/show/'+req.session.User.id);
        });
    } else {
        return res.redirect('/session/new');
    }
};

Best Regards

Mehdi Aïssani
  • 111
  • 1
  • 5
0

A year and a half later, if someone runs into this, sails-must seems like a nice solution for this. 

RabbitController: {
    nurture: must().be.a('rabbit').mother,
    feed: [must().be.nice.to('rabbits'), must().have('rabbit').food]
},

Disclaimer: I have not used it myself.

Tomer Cagan
  • 1,078
  • 17
  • 31