feathers.js API中的用户权限 [英] User's permissions in feathers.js API

问题描述

我正在尝试使用用户角色(例如admin，superadmin等)创建一些REST API. 我试图通过使用feathers-permissions模块来实现此目的，但是没有可用的示例和互联网.你有没有处理过这样的任务? 我现在要做的是: feathers generate app，然后feathers generate authentication.接下来我该怎么办?

解决方案

在Feathers中实现权限和角色的秘诀在于钩子确实为您提供了所需的一切，并提供了可能需要的所有灵活性.确实不需要花费时间寻找单独的模块并学习其API.

将权限(通常只是字符串)存储在用户的数组中(或基于用户ID的单独的permissions服务)，然后在before挂钩中检查是否允许用户执行操作将钩子注册为(此处的权限称为messages::create)，如果没有，则抛出羽毛错误:

const { Forbidden } = require('feathers-errors');

app.service('messages').hooks({
  before: {
    create: [ context => {
      // `params.provider` is set for any external access
      // usually we don't need to check permissions for internal calls
      const isExternal = !!context.params.provider;

      if(isExternal && !context.params.user.permissions.includes('messages::create')) {
        throw new Forbidden('You are not allowed to access this');
      }
    }]
  }
});

此模式也可以与Node的任何现有权限模块一起实现. 羽毛权限是一个简单的模块，可以更轻松地完成此操作. >

有关更多信息，请参见有关访问控制策略的博客文章FeathersJS 和使用CASL和Feathers轻松进行API授权.

I'm trying to create some REST API with user roles like admin, superadmin etc. I was trying to achieve this by using feathers-permissions module, but there are none working examples and the internet. Have you ever dealt with such task? What I do now is: feathers generate app and then feathers generate authentication. What should I do next?

解决方案

The secret to implementing permissions and roles in Feathers is that Hooks really provide everything you need with all the flexibility you might want. There isn't really a a need to spend time looking for a separate module and learning it's API.

Store the permissions (which are normally just strings) in an array on the user (or a separate permissions service based on the users ID) and then in a before hook check if the user is allowed to perform the operation the hook is registered as (here the permission is called messages::create), and if not throw a Feathers error:

const { Forbidden } = require('feathers-errors');

app.service('messages').hooks({
  before: {
    create: [ context => {
      // `params.provider` is set for any external access
      // usually we don't need to check permissions for internal calls
      const isExternal = !!context.params.provider;

      if(isExternal && !context.params.user.permissions.includes('messages::create')) {
        throw new Forbidden('You are not allowed to access this');
      }
    }]
  }
});

This pattern can also be implemented with any existing permissions module for Node. feathers-permissions is a simple module that allows to do this more easily.

For more information also see the blog posts about Access Control Strategies in FeathersJS and Easy API Authorization with CASL and Feathers.

这篇关于feathers.js API中的用户权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！