Created
November 10, 2014 04:23
-
-
Save coodoo/8304523aea3a0a0c0fa8 to your computer and use it in GitHub Desktop.
loopback authorization and dynamic role check
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1. remoteMethod 如何控管存取權限? | |
- 用 beforeRemote 與 afterRemote hook 做檢查 | |
- 通常我偏好在 beforeRemote hook 做,原因: | |
- 可前期過濾與檢查用戶傳來的參數,例如刪掉格式不正確的內容,或強制塞入指定的參數 | |
- 可精準組合 query 指令,避免撈出多餘的資料 | |
- 如果用 after hook | |
- 就是先撈出所有資料,在返還給客戶端前刪掉不屬於該員的筆數 | |
- 文件 | |
- http://docs.strongloop.com/display/public/LB/Remote+hooks | |
2.有辦法做出樹狀結構的 permission 嗎?老闆可以看到 COO 以及 sales 的所有銷售記錄,COO 可以看到 sales的銷售狀況,sales 無法看到 COO;就是一種有層級的,scope 方向往下的。 | |
- dynamic $role resolver 可做到 | |
- 文件 | |
http://docs.strongloop.com/display/public/LB/Controlling+data+access | |
- 採用 ACL group 的概念 | |
- 建立三個 group (例如 db table),分別是 boss, coo, sales | |
- 用戶依身份不同分別塞入上列三個 group 之一 | |
- 然後採用 dynamic role resolver 來檢查 | |
- 語法示範 | |
Role.registerResolver('$boss', function(role, context, cb) { | |
// check if userId is in team table for the given project id | |
// 向 boss table 查詢此用戶是否屬於其中一員 | |
boss.findById(context.modelId, function(err, project) {/* do check here*/}) | |
}) | |
- 完整範例 | |
http://goo.gl/awjjBn |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment