Skip to content

Ownership access control for action 'read' not works and package still active? #252

Open
@leoujz

Description

@leoujz

This package still active?

By my test,

PermissionService.grant({role:'registered', model:'sth', action:'update', relation:'role'})
PermissionService.grant({role:'registered', model:'sth', action:'update', relation:'owner'})

Then, 'put /sth/:id' can only be accessed by the user who owns the 'sth/:id', it works.

However, I need similar access control for 'get /sth/:id', I want only the owner can access 'get sth/:id'. I tried the following operations:

PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'role'})
PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'owner'})

But it does not work.

PermissionService.grant({role:'registered', model:'sth', action:'read', relation:'role'}), then 'get /sth/' and 'get /sth/:id' can both be accessed by all registered users despite of ownership.
PermissionService.revoke({role:'registered', model:'sth', action:'read', relation:'role'}), then 'get /sth/' and 'get /sth/:id' would both be forbidden for all registered users despite of ownership.
And permission {role:'registered', model:'sth', action:'read', relation:'owner'} seems to have no effect.

I just don't know if it is a designed feature or a bug.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions