How to create dynamic policies in sails.js

Question

I have been working on a project where i need to create and assign policies according to access rights/levels to user in sails.js

Each user can access all levels below his level, like admin has an level 9 and he can access all levels below level 9

Currently in sails all policies are stored in

api/policies

folder and are assigned to controller in

config/policies.js

module.exports.policies = {

UserController: {
    "create": ['canCreate'],
    "list": ['canRead'],
    "show": ['canRead'],
},
AuthController: {
    '*': true,
}};

My Question is how can i make dynamic policies based on access levels coming in from db

I have googled it but found nothing on how to create dynamic policies in sails.js, so posting here.

Appreciate your help on this.

Thanks

Answer 1

Check out sails-permissions .

Comprehensive user permissions and entitlements system for sails.js and Waterline. Supports user authentication with passport.js, role-based permissioning, object ownership, and row-level security.

Answer 2

A simple method would be to create a policy for each access level.

policies/level01.js policies/level02.js ect . . .

your policy file will check their session/token to make sure they meet the criteria of that policy.

policies/level01.js

module.exports = function(req,res,next){
 if(req.session.accessLevel = 1) return next();
 return res.forbidden();
}

Then in your config

module.exports.policies = {
UserController: {
    "create": ['policyXX.js'],
    "list": ['policyXX.js'],
    "show": ['policyXX.js'],
},
AuthController: {
    '*': true,
}};

Start with something like this that can familiarize with out these policies work and build up from there. It is always very important to know and understand exactly how your security works.

Answer 3

The solution of @Travis Webb is a nice one. You also can create model roles and a model permission linked by relations (one to many, many to many ....) as you wish and then filter them with a policy like that:

Example:

module.exports = function isAdmin (req, res, next) {
    if (typeof req.session.User != "undefined") {
    User.findOne(req.session.User.id).populate('roles').exec(function(err,user){
           if(err) return res.forbidden('You are not permitted to perform this action.');
           if(!user) return res.redirect('/user/new');
           for(var i in user.roles){
                if(user.roles[i]['name'] == 'ROLE_ADMIN'){
                    return next();
                }
           }
           return res.redirect('/user/show/'+req.session.User.id);
        });
    } else {
        return res.redirect('/session/new');
    }
};

Best Regards

Answer 4

A year and a half later, if someone runs into this, sails-must seems like a nice solution for this.

RabbitController: {
    nurture: must().be.a('rabbit').mother,
    feed: [must().be.nice.to('rabbits'), must().have('rabbit').food]
},

Disclaimer: I have not used it myself.