Permissions and Access Rights within controllers

[MaheshkumarSundaram]

Hi @neonexus,

I would like to get your suggestion on how to achieve the below usecase regarding access rights and permissions.

Say, an user has permission to access to view and add new users but not update or delete users (not ideal; just to give an example)
In this case, they would need access to api/controllers/admin/create-user.js and api/controllers/admin/get-users.jsbut not the other scripts in AdminController.

In such cases, how to effectively provide API access? Can I adapt config/policies.js to accomodate these scenarios or should it be handled as a part of the script directly?

Any help would be appreciated. Thanks.

[neonexus]

Generally speaking, you want to default to using policies for access rights control. On one hand, it helps keep things consistent, on the other, they are independent functions run before your controller, so they help keep things safer as well.

So, in this case, I would have the policies "can-delete" / "can-edit", and they would check, depending on your needs, if they have the proper permission level, or have the granular access granted.

Make sense?

[MaheshkumarSundaram]

Thanks @neonexus. Yeah it does make sense.

Just to confirm, in the config/policies, there is already:

module.exports.policies = {
    '*': true,
    AdminController: {
        '*': ['isLoggedIn'],
     },
};

Now, I adapt it like the below !?

module.exports.policies = {
    '*': true,
    AdminController: {
        '*': ['isLoggedIn'],
     },
   'admin/can-edit': {
        '*': ['isClnManager'],
     },
  'admin/can-delete': {
        '*': ['isClnManager'],
     },
};

Am I correct? For all the scripts in api/controllers/admin, we have AdminController which would enforce login while the specifics would enforce just my required access right?

Please correct me if I am wrong. Thanks.

[neonexus]

Sorry for the delay.

Your policies should look like:

module.exports.policies = {
    '*': true, // This opens the door wide open if there isn't a policy configured for the route.

    AdminController: {
        '*': ['isLoggedIn'], // This is for any files in 'api/admin' that don't have an explicit policy set (like below).
        'can-edit': ['isLoggedIn', 'isClnManager'], // This is for 'api/admin/can-edit.js'
        'can-delete': ['isLoggedIn', 'isClnManager'] // This is for 'api/admin/can-delete.js'
     }
};

The order goes "Explicit > Generic". If there isn't an explicit policy set, it goes to the next least-generic policy. So, in this case, there are the 2 routes that are explicitly defined, then there is the generic "admin" policy, and finally the overall policy.

Policies DO NOT stack. You must list them in-order, like above. (So, isLoggedIn is run first, then isClnManager.)

[MaheshkumarSundaram]

Thank you for the brief @neonexus