Acl

Restrict calling a class method using an acl. Arguments are declared in pairs of a check type and an option object. When multiple pairs are declared, the caller is permitted access if passing any of the criteria. A script.accessDenied.acl Fault is thrown if all checks fail. To create an and style check, stack multiple @acl decorators.

class Secured {

  // allows any administrator or account holder with matching email addresses.
  // service account emails take the form `${serviceAccount.name}@${org.code}-iam.serviceaccount.medable.com`
  @acl(
    'role', consts.roles.Administrator, 
    'account', ['admin@medable.com', 'sample@$env123-iam.serviceaccount.medable.com']
  )
  foo() {    
  }

  // fails unless the first argument equals a particular value and the method caller is test@medable.com
  @acl('assert', (principal, arg1) => arg1 === 'knock knock' && principal.email === 'test@medable.com' )
  bar(arg1, arg2) {  
  }

}

@acl( type, options, ... )

Arguments

• type { String } Options object. One of (account, role, assert).

• options { * }

  • For account { String[] | ObjectID[] } An account id or email list that's allowed access.

  • For role { ObjectID[] } A role identifier list.

  • For assert { Function } A function that takes the calling principal and the methods arguments and must return

    a "truey" value to allow access. (`function(principal, arg1, args, ...) { return true })