@via-profit/ability 3.5.4 → 3.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +0 -30
- package/dist/index.d.ts +422 -195
- package/dist/index.js +1484 -695
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -115,36 +115,6 @@ resolver.enforce('user.passwordHash', {
|
|
|
115
115
|
```
|
|
116
116
|
In `enforce`, the key is passed without the `permission.` prefix – it is automatically removed by the parser.
|
|
117
117
|
|
|
118
|
-
## Key concepts
|
|
119
|
-
|
|
120
|
-
Let's list the key points you need to know before starting to use the package:
|
|
121
|
-
|
|
122
|
-
1. **The resolver (`AbilityResolver`) works on the `Default Deny` principle.**
|
|
123
|
-
If no policy has set a final state, the result will be `deny`
|
|
124
|
-
([see here](#troubleshooting)).
|
|
125
|
-
To avoid unexpected `deny`, ensure there is at least one `permit` policy that can match.
|
|
126
|
-
Only then add `deny` policies.
|
|
127
|
-
|
|
128
|
-
2. **Policies are processed sequentially, from top to bottom.**
|
|
129
|
-
Unlike classic ABAC models, where a `mismatch` is simply ignored, Ability uses a **state‑machine model**:
|
|
130
|
-
|
|
131
|
-
- `match` sets the state (`permit` → allow, `deny` → deny),
|
|
132
|
-
- `mismatch` **resets the state to neutral**,
|
|
133
|
-
- the final result is determined by the **last processed policy**, not just the one that matched.
|
|
134
|
-
|
|
135
|
-
3. **Rules within a policy are also executed sequentially.**
|
|
136
|
-
|
|
137
|
-
4. **In a rule set with the `all` operator, execution stops at the first `mismatch`.**
|
|
138
|
-
In `any` – at the first `match`.
|
|
139
|
-
|
|
140
|
-
5. **Use [DSL](#dsl) to compose policies** – it's simpler and more convenient.
|
|
141
|
-
|
|
142
|
-
6. **Use JSON to store policies on the server.**
|
|
143
|
-
Policies can be exported to JSON and imported back.
|
|
144
|
-
|
|
145
|
-
7. **Follow the principle: if permission is not explicitly granted → access is denied.**
|
|
146
|
-
This is a natural consequence of the `Default Deny` model and state‑machine behavior.
|
|
147
|
-
|
|
148
118
|
### Interaction model
|
|
149
119
|
|
|
150
120
|
First, you describe "raw" policies (SDL, JSON, or using classes). Then, from the "raw" data, you form ready policies (an array of policies). This is done once and allows you to have a single source of truth. Then you can run permission checks in the necessary parts of your code using the already prepared policies and resolver.
|