Hyperledger Composer-具有功能的ACL规则 [英] Hyperledger Composer - ACL Rule with function in condition
问题描述
在ACL规则的情况下,我试图像p.getIdentifier() == r.getIdentifier()
一样编写稍微复杂的逻辑,因为在我看来,这是不可能的.
I'm trying to write a little complexer logic in the condition of an ACL Rule as always the p.getIdentifier() == r.getIdentifier()
, because in my fault it isn't possible.
这些是我的模特
participant Customer identified by customerID {
o String customerID
o String name
...
}
asset A identified by aID {
o String aID
--> Customer customer
}
asset B identified by bID {
o String bID
--> A a
}
现在,我想授予Customer
访问权限,以查看所有B
资产,但是仅在与A
的关系引用资产时,该资产与Customer
的实际参与者(即已登录".
Now I want to give the Customer
access to see all B
assets, but only where the relationship to A
references to an asset, which have a relatinship to the actual participant of Customer
, who is "logged in".
概括的逻辑:从资产B
到A
,然后从A
到Customer
.
Summarized logic: From asset B
to A
, and then from A
to Customer
.
因此,在这种情况下,我无法直接比较Customer
和B
的标识符,而不得不遍历A
.因此,我想使用在script.js
文件中调用的函数来评估访问权限:
So in this case I can't compare the identifiers of Customer
and B
directly and have to go over A
. Therefore I wanted to evaulate the access with a function which is called in the script.js
file:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: (evaluateAccess(p,r))
action: ALLOW
}
这是script.js
的功能:
async function evaluateAccess(p,r) {
try {
const bRegistry = await getAssetRegistry('org.xxx.test.asset.B');
const b = await bRegistry.get(r.getIdentifier());
const aRegistry = await getAssetRegistry('org.xxx.test.asset.A');
const a = await aRegistry.get(b.a.getIdentifier());
if (p.getIdentifier() === a.customer.getIdentifier()) {
return true;
}
} catch (error) {
console.log(error);
}
}
但是我得到一个错误Error: The runtime API is not available
.
我是否认为方法错误,是否可以通过函数评估访问权限? 如果不能仅比较标识符,您如何处理访问规则?
Do I think the wrong way, isn't it possible to evaluate access with a function? How did you handle access rule if you can't just compare the identifiers?
推荐答案
您应该可以:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: ( (p.getIdentifier() === r.a.customer.getIdentifier())
action: ALLOW
}
,但p
还需要已经具有READ访问权限,才能首先读取资产资源"A"(以检查标识符等):-)
but p
would also need READ access already to be able to 'read' Asset resource 'A' (to check the identifier etc) in the first place :-)
这篇关于Hyperledger Composer-具有功能的ACL规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!