payload-rbac-plugin 1.0.5-rc → 1.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +31 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -13,6 +13,7 @@ This plugin emphasizes checking **permissions instead of roles** to avoid hard-c
|
|
|
13
13
|
|
|
14
14
|
## Features
|
|
15
15
|
|
|
16
|
+
- **Attribute-Based Access Control (ABAC)**: Support for dynamic, Row-Level Security conditions configured right from the Payload Admin UI. No code updates required!
|
|
16
17
|
- **Dynamic Collections**: Automatically injects database-backed `Roles` and `Permissions` collections.
|
|
17
18
|
- **Auth Collection Extension**: Injects a `roles` relationship field into your target auth collection (e.g., `users`) with `saveToJWT: true` for zero-cost runtime checks.
|
|
18
19
|
- **Bulk Permission Generator**: In the Admin UI, easily switch between creating a single permission or using the Bulk CRUD Generator to automatically generate separate permissions (e.g., `posts:create`, `posts:read`, `posts:update`, `posts:delete`) at once.
|
|
@@ -129,7 +130,36 @@ export const PostsCollection = {
|
|
|
129
130
|
}
|
|
130
131
|
```
|
|
131
132
|
|
|
132
|
-
### 2.
|
|
133
|
+
### 2. Dynamic Row-Level Security (ABAC)
|
|
134
|
+
|
|
135
|
+
The `checkPermission` wrapper natively supports Attribute-Based Access Control (ABAC). If an administrator assigns a permission with `conditions` in the Admin UI (e.g. `sender equals {{user.id}}`), `checkPermission` will automatically map it to a Payload `Where` object without any code changes!
|
|
136
|
+
|
|
137
|
+
If you need to construct these queries manually outside of standard access control, you can use the `getPermissionQuery` utility:
|
|
138
|
+
|
|
139
|
+
```typescript
|
|
140
|
+
import { getPermissionQuery } from 'payload-rbac-plugin'
|
|
141
|
+
|
|
142
|
+
export const CustomEndpoint = async (req) => {
|
|
143
|
+
// Returns `true`, `false`, or a Payload Where object depending on UI conditions
|
|
144
|
+
const accessQuery = getPermissionQuery(req.user, 'posts:read')
|
|
145
|
+
|
|
146
|
+
if (!accessQuery) return Response.json({ error: 'Forbidden' }, { status: 403 })
|
|
147
|
+
|
|
148
|
+
const posts = await req.payload.find({
|
|
149
|
+
collection: 'posts',
|
|
150
|
+
where: typeof accessQuery === 'object' ? accessQuery : undefined,
|
|
151
|
+
})
|
|
152
|
+
}
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
#### Supported Dynamic Variables
|
|
156
|
+
When defining conditional `Value`s in the UI, you can inject variables:
|
|
157
|
+
- `{{user.id}}` - Replaced with the current user's ID
|
|
158
|
+
- `{{user.roles}}` - Replaced with an array of the user's role IDs (useful for the `in` operator)
|
|
159
|
+
- `{{user.role}}` - Replaced with the user's role ID (if using a single custom role field)
|
|
160
|
+
- `true` / `false` - Properly parsed into booleans (useful for the `exists` operator)
|
|
161
|
+
|
|
162
|
+
### 3. Manual Permission Verification (`hasPermission`)
|
|
133
163
|
|
|
134
164
|
For custom endpoints, hooks, or conditionally rendering logic, use the `hasPermission` utility:
|
|
135
165
|
|