Atom Authorization is data-based authorization. This chapter describes the basic concepts and usage of Atom Authorization. For more details, see: Cabloy:Atom Authorization

Authorization Record

Authorization of atom action for atomClass, such as the following authorization record:

Role AtomClass Atom Action
system party create

Data Scope of Authorization

When authorizing, you can specify the data scope of the permission, such as the following authorization record:

Role AtomClass Atom Action Data Scope
system party read finance department

The role system can only read party data of finance department

Authorization Ways

There are three ways of atom authorizations. Here, appropriate initial privileges are assigned to the relevant roles through the initial authorization approach

1. Authorization Records

Role AtomClass Atom Action Data Scope
system party create
system party read authenticated
system party write self
system party delete self
system party clone self
system party deleteBulk
system party exportBulk

2. Authorization Logics

src/suite-vendor/test-party/modules/test-party/backend/src/bean/version.manager.js

  1. 1async init(options) {
  2. 2 // init
  3. 3 if (options.version === 1) {
  4. 4 // add role rights
  5. 5 const roleRights = [
  6. 6 { roleName: 'system', action: 'create' },
  7. 7 { roleName: 'system', action: 'read', scopeNames: 'authenticated' },
  8. 8 { roleName: 'system', action: 'write', scopeNames: 0 },
  9. 9 { roleName: 'system', action: 'delete', scopeNames: 0 },
  10. 10 { roleName: 'system', action: 'clone', scopeNames: 0 },
  11. 11 { roleName: 'system', action: 'deleteBulk' },
  12. 12 { roleName: 'system', action: 'exportBulk' },
  13. 13 ];
  14. 14 await this.ctx.bean.role.addRoleRightBatch({ atomClassName: 'party', roleRights });
  15. 15 }
  16. 16
  17. 17 }

Authorization Checking

Authorization can be checked by middleware or API. Here we only demonstrate the checking method of middleware:

src/suite-vendor/test-party/modules/test-party/backend/src/routes.js

  1. 1// test/atom/right(checked by middleware)
  2. 2 {
  3. 3 method: 'post',
  4. 4 path: 'test/atom/checkRightCreate',
  5. 5 controller: 'testAtomRight',
  6. 6 middlewares: 'test',
  7. 7 meta: { right: { type: 'atom', action: 'create' } },
  8. 8 },
  9. 9 {
  10. 10 method: 'post',
  11. 11 path: 'test/atom/checkRightRead',
  12. 12 controller: 'testAtomRight',
  13. 13 middlewares: 'test',
  14. 14 meta: { right: { type: 'atom', action: 'read' } },
  15. 15 },
  16. 16 {
  17. 17 method: 'post',
  18. 18 path: 'test/atom/checkRightWrite',
  19. 19 controller: 'testAtomRight',
  20. 20 middlewares: 'test',
  21. 21 meta: { right: { type: 'atom', action: 'write' } },
  22. 22 },
  23. 23 {
  24. 24 method: 'post',
  25. 25 path: 'test/atom/checkRightAction',
  26. 26 controller: 'testAtomRight',
  27. 27 middlewares: 'test',
  28. 28 meta: { right: { type: 'atom', action: 'partyOver' } },
  29. 29 },
Name Description
meta the metadata of api route, which can specify parameters related to middlewares
right parameters of middleware right
type authorization type, here is atom
action Atom Action for authorization checking