Skip to main content

Permissions

Permissions are an object provided to the execute function. The root keys of the objects are the user roles (including the special role UNAUTHENTICATED for when the user object is undefined).

execute({
    ...
    user: {
        // ...
        role: 'USER' // this is the role that will apply
    },
    permissions: {
        ADMIN: ... // admin permissions
        USER: ... // user permissions
        UNAUTHENTICATED: ... // permissions for unauthenticated users
    }
})

Grant all permissions

ADMIN: true

Actions

  • READ
  • CREATE
  • UPDATE
  • DELETE
  • RESTORE
  • LINK

Grant all READ permissions on a specific table:

User: {} // same as User: { READ: true }

Grant actions other than READ on a specific table:

User: { CREATE: true }

Linking

The LINK permission doesn't give one permission to modify these records, but to use them as options for foreign keys in other records that one does have the permission to CREATE/UPDATE.

So, for example, if you want a manager to be able to assign a user to a task, you would model it like this:

MANAGER: {
  User: { LINK: true }
  Task: { UPDATE: true }
}

Narrowing the record set

Use WHERE, which accepts simple table column/value pairs that are then used as sql where filter.

GUEST: {
  Post: {
    WHERE: { published: true }
  }
}

Derivative permissions

In the following way you can define permissions that follow the relational structure.

"If I can read a board (because it is public), then I can follow all threads and their authors, and their replies, which I can like."

GUEST: {
  Board: {
    WHERE: { public: true }
    RELATIONS: {
      threads: {
        RELATIONS: {
          LINK: true,
          author: {},
          replies: {
            CREATE: true,
            LINK: true,
            likes: {
              CREATE: true
            }
          }
        }
      }
    }
  }
}

Me

You can use me as a special User record set containing just yourself.

EMPLOYEE: {
  me: {
    UPDATE: true,
    LINK: true,
    RELATIONS: {
      tasks: {
        UPDATE: true
      }
    }
  }
}

Note: for ownership patterns (I own what I create, I can update what I own), one must use implicitly generated relationships such as createdPosts, updatedPosts, deletedPosts:

GUEST: {
  me: {
    LINK: true,
    RELATIONS: {
      createdPosts: {
        // "guests can create a post with the field createdBy === me"
        CREATE: true,
        UPDATE: true
      },
      updatedPosts: {
        // this is necessary or it won't be possible to create a post
        // "guests can create a post with the field updatedBy === me"
        CREATE: true

        // this is *not* necessary because the user can already update posts they created
        // UPDATE: true
      }
    }
  }
}