Atom Authorization
is data-based authorization. This chapter describes the basic concepts and usage of Atom Authorization
. For more details, see: Cabloy:Atom Authorization
Authorization Record
Authorization of atom action
for atomClass
, such as the following authorization record:
Role | AtomClass | Atom Action |
---|---|---|
system | party | create |
Data Scope of Authorization
When authorizing, you can specify the data scope of the permission, such as the following authorization record:
Role | AtomClass | Atom Action | Data Scope |
---|---|---|---|
system | party | read | finance department |
The role
system
can only readparty
data offinance department
Authorization Ways
There are three ways of atom authorizations. Here, appropriate initial privileges are assigned to the relevant roles through the initial authorization
approach
1. Authorization Records
Role | AtomClass | Atom Action | Data Scope |
---|---|---|---|
system | party | create | |
system | party | read | authenticated |
system | party | write | self |
system | party | delete | self |
system | party | clone | self |
system | party | deleteBulk | |
system | party | exportBulk |
2. Authorization Logics
src/suite-vendor/test-party/modules/test-party/backend/src/bean/version.manager.js
- 1async init(options) {
- 2 // init
- 3 if (options.version === 1) {
- 4 // add role rights
- 5 const roleRights = [
- 6 { roleName: 'system', action: 'create' },
- 7 { roleName: 'system', action: 'read', scopeNames: 'authenticated' },
- 8 { roleName: 'system', action: 'write', scopeNames: 0 },
- 9 { roleName: 'system', action: 'delete', scopeNames: 0 },
- 10 { roleName: 'system', action: 'clone', scopeNames: 0 },
- 11 { roleName: 'system', action: 'deleteBulk' },
- 12 { roleName: 'system', action: 'exportBulk' },
- 13 ];
- 14 await this.ctx.bean.role.addRoleRightBatch({ atomClassName: 'party', roleRights });
- 15 }
- 16
- 17 }
Authorization Checking
Authorization can be checked by middleware
or API
. Here we only demonstrate the checking method of middleware
:
src/suite-vendor/test-party/modules/test-party/backend/src/routes.js
- 1// test/atom/right(checked by middleware)
- 2 {
- 3 method: 'post',
- 4 path: 'test/atom/checkRightCreate',
- 5 controller: 'testAtomRight',
- 6 middlewares: 'test',
- 7 meta: { right: { type: 'atom', action: 'create' } },
- 8 },
- 9 {
- 10 method: 'post',
- 11 path: 'test/atom/checkRightRead',
- 12 controller: 'testAtomRight',
- 13 middlewares: 'test',
- 14 meta: { right: { type: 'atom', action: 'read' } },
- 15 },
- 16 {
- 17 method: 'post',
- 18 path: 'test/atom/checkRightWrite',
- 19 controller: 'testAtomRight',
- 20 middlewares: 'test',
- 21 meta: { right: { type: 'atom', action: 'write' } },
- 22 },
- 23 {
- 24 method: 'post',
- 25 path: 'test/atom/checkRightAction',
- 26 controller: 'testAtomRight',
- 27 middlewares: 'test',
- 28 meta: { right: { type: 'atom', action: 'partyOver' } },
- 29 },
Name | Description |
---|---|
meta | the metadata of api route, which can specify parameters related to middlewares |
right | parameters of middleware right |
type | authorization type, here is atom |
action | Atom Action for authorization checking |
Comments: