Restrict calling a class method using an acl. Arguments are declared in pairs of a check type and an option object. When multiple pairs are declared, the caller is permitted access if passing any of the criteria. A script.accessDenied.acl Fault is thrown if all checks fail. To create an and style check, stack multiple @acl decorators.

class Secured {

  // allows any administrator or account holder with matching email addresses.
  // service account emails take the form `${}@${org.code}`
    'role', consts.roles.Administrator, 
    'account', ['', 'sample@$']
  foo() {    

  // fails unless the first argument equals a particular value and the method caller is
  @acl('assert', (principal, arg1) => arg1 === 'knock knock' && === '' )
  bar(arg1, arg2) {  


@acl( type, options, ... )


  • type { String } Options object. One of (account, role, assert).

  • options { * }

    • For account { String[] | ObjectID[] } An account id or email list that's allowed access.

    • For role { ObjectID[] } A role identifier list.

    • For assert { Function } A function that takes the calling principal and the methods arguments and must return

      a "truey" value to allow access. (`function(principal, arg1, args, ...) { return true })

Last updated