meteor-astronomy
meteor-astronomy copied to clipboard
jagi
New package for declarative methods access control : Serrurier
Hi! I made a package for my personal usage that I wanted to share : Serrurier.
The core philosphy is to promote declarative expressions over imperative conditional code to define the context in which a method can be called. It simplifies and refactors the security logic of your application. It gives other developers (and yourself) fast hints about the when.
The idea is to define accesses and perform miscellaneous assertions through es7 candidate decorators, now easily available for meteor 1.3.4 & sup.
To give you an idea with a cadenas for alanning:roles :
In the above example, an exception is thrown if the user is not in the group ADMIN and the access is refused.
Apart from defining custom cadenas, you can define your own reporters that process those exceptions (they are sorts of listeners on exceptions).
Here is an example with the paranoid reporter that logs unexpected SecurityExceptions in the server console and keep track of those events in a collection :
_______________________________ SERRURIER PARANOID REPORT _______________________________
createdAt: new Date('2016-07-07T05:46:25.005Z'),
ip: '127.0.0.1',
geoInfo: 'localhost'
userAgent: 'Mozilla/5.0 (X11; Linux x86_64) ...,
securityContext: {
reason: 'user.not.in.role:administrator:GLOBAL',
exceptionId: 'loggedUserInRole',
action: 'Project#updateSensitiveData',
stackTrace: '...',
target: {
Project: {
plugins: {
task: {
_types: []
},
annotation: {
_types: []
}
},
isOpen: false,
publicationPolicy: true,
enablePlugins: false,
defaultCaptionSource: null,
pending: []
}
},
userId: 'JCwWgQZLExz5KrcDH'
}
_________________________________________________________________________________________
So if you're curious and interested, please have a try ! Open to suggestions and contributors to enhance the lib :smile:
Cheers
Nice, I didn't know that decorators are going to appear in future ES versions. I will add this package to the list of community packages.
@jagi thanks!
Right now you have to use Serrurier.createClass, Serrurier.inheritClass ... etc to use decorators, because I need to wrap methods and event listeners inside the description object. You could use Class.create(decorateDescription({ ... })) as this method is exported.
Do you have any idea how Serrurier could be more seamlessly integrated ? I've dived into behaviors and modules, but they address different extension needs. Serrurier would rather be a "plugin" that provides a unique callback (decorateDescription) applied to every create, extend and inherit description argument.
Have you got any insights ?
Cheers
I could probably add support for decorators in class definition so that anyone could attach to some decorator event and add custom functionality. However, as support for decorators right now is not turned on by default in babel and is just experimental then I'm not planning to introduce such feature any time soon.
@jagi I totally understand this is not standard yet and should totally be the choice of the lib user. What I suggested would look like this :
import { registerPlugin } from 'meteor/jagi:astronomy'
import { decorateDescription } from 'meteor/svein:serrurier'
registerPlugin(decorateDescription)
In the background, you would just apply registerPlugin's first argument (a method) which signature is (description) : description to any create, extend or inherit first argument. It does not mean you need to use decorators. It would be a totally generic way to register a plugin that only transforms descriptions.
I see your point but, it would probably be a good way of implementing it but for now I will just add it to the list of feature to implement as there are a lot of things that are requested from the community. I have to focus on more important things right now.