Acl

Restrict calling a class method using an acl. Arguments are declared in pairs of a check type and an option object. When multiple pairs are declared, the caller is permitted access if passing any of the criteria. A script.accessDenied.acl Fault is thrown if all checks fail. To create an and style check, stack multiple @acl decorators.

class Secured {

  // allows any administrator or account holder with matching email addresses.
  // service account emails take the form `${serviceAccount.name}@${org.code}-iam.serviceaccount.medable.com`
  @acl(
    'role', consts.roles.Administrator, 
    'account', ['[email protected]', 'sample@$env123-iam.serviceaccount.medable.com']
  )
  foo() {    
  }

  // fails unless the first argument equals a particular value and the method caller is [email protected]
  @acl('assert', (principal, arg1) => arg1 === 'knock knock' && principal.email === '[email protected]' )
  bar(arg1, arg2) {  
  }

}

@acl( type, options, ... )

Arguments

type { String } Options object. One of (account, role, assert).
options { * }
- For account { String[] | ObjectID[] } An account id or email list that's allowed access.
- For role { ObjectID[] } A role identifier list.
- For assert { Function } A function that takes the calling principal and the methods arguments and must return
  a "truey" value to allow access. (`function(principal, arg1, args, ...) { return true })

Last updated 3 years ago

Was this helpful?