We saw earlier that API route can bind function or menu, and then perform function authorization or menu authorization. Actually, API route also provides another type of authorization: Atom Authorization

Atom Authorization is data-based authorization. This chapter describes the basic concepts and usage of Atom Authorization. For more details, see: Cabloy:Atom Authorization

API Route

The core module a-base provides a set of API routes for centralized encapsulation of Atom Actions. For example, API route atom/read is used to read single atom data. It’s API route configuration is as follows:

node-modules/a-base-sync/backend/src/routes.js

{ method: 'post', path: 'atom/read', controller: atom,
  meta: { right: { type: 'atom', action: 2 } },
},
Name Description
meta the metadata of route, which can specify parameters related to middleware
right parameters of middleware right
type authorization type, here is atom
action atom action code

We don’t care whether the user has access to this API route, but whether the user has access to the corresponding atom data. This is the difference between function authorization and atom authorization

Content of Authorization

Authorization of atom action for atomClass, such as the following authorization record:

Role AtomClass Actom Action
system party create

Resource Scope of Authorization

When authorizing, you can specify the resource scope of the permission, such as the following authorization record:

Role AtomClass Atom Action Resource Scope
system party read finance department

The role system can only read party data of finance department

Ways to Authorize

Like function authorization, atom authorization has also three ways. Here, appropriate initial privileges are assigned to the relevant roles through the initial authorization approach

Authorization Records

Role AtomClass Atom Action Resource Scope
system party create
system party write self
system party delete self
system party read authenticated

Authorization Codes

src/module/test-party/backend/src/service/version.js

async init(options) {
  if (options.version === 4) {
    // add role rights
    const roleRights = [
      { roleName: 'system', action: 'create' },
      { roleName: 'system', action: 'write', scopeNames: 0 },
      { roleName: 'system', action: 'delete', scopeNames: 0 },
      { roleName: 'system', action: 'read', scopeNames: 'authenticated' },
    ];
    await this.ctx.meta.role.addRoleRightBatch({ atomClassName: 'party', roleRights });  
  }
}

Menu of Atom Action

There are two special menu items: Create Atom and Atom List, whose permissions are associated with Atom Actions. For example, when we configure the actions permissions of create and read for party, then we have corresponding permissions for the menus of Create Party and Party List

Therefore, we need to declare these two menu items as follows:

src/module/test-party/backend/src/meta.js

const meta = {
  base: {
    functions: {
      createParty: {
        title: 'Create Party',
        scene: 'create',
        autoRight: 1,
        atomClassName: 'party',
        action: 'create',
        sorting: 1,
        menu: 1,
      },
      listParty: {
        title: 'Party List',
        scene: 'list',
        autoRight: 1,
        atomClassName: 'party',
        action: 'read',
        sorting: 1,
        menu: 1,
      },
    },
  },
Name Description
autoRight 1: indicates auto right, consistent with the corresponding atom action right
atomClassName atomClass name
action atom action name