Comprehensive user permissions and entitlements system for sails.js and Waterline. Supports user authentication with passport.js, role-based permissioning, object ownership, and row-level security.
MIT License
418
stars
113
forks
source link
Ownership access control for action 'read' not works and package still active? #252
PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'role'}), then 'get /sth/' and 'get /sth/:id' can both be accessed by all registered users despite of ownership.
PermissionService.revoke({role:'registered', model:'sth', action:'read', relation:'role'}), then 'get /sth/' and 'get /sth/:id' would both be forbidden for all registered users despite of ownership.
And permission {role:'registered', model:'sth', action:'read', relation:'owner'} seems to have no effect.
I just don't know if it is a designed feature or a bug.
This package still active?
By my test,
Then, 'put /sth/:id' can only be accessed by the user who owns the 'sth/:id', it works.
However, I need similar access control for 'get /sth/:id', I want only the owner can access 'get sth/:id'. I tried the following operations:
But it does not work.
PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'role'}), then 'get /sth/' and 'get /sth/:id' can both be accessed by all registered users despite of ownership.PermissionService.revoke({role:'registered', model:'sth', action:'read', relation:'role'}), then 'get /sth/' and 'get /sth/:id' would both be forbidden for all registered users despite of ownership. And permission {role:'registered', model:'sth', action:'read', relation:'owner'} seems to have no effect.I just don't know if it is a designed feature or a bug.