node_acl
node_acl copied to clipboard
OptimalBits
Row based ACL
Hi, I would like to implement row based ACL where owner of the records only get to edit/delete records. In order to do so, I created role for each user and assign edit/delete permissions to resource (records). I'm using mongo backend and the problem is that mongo collection is created for each resource. I think the approach will have performance issue as it scales. Do you have any recommendation? Thank you, Hiroshi
I don't think it is the right approach to use ACL for row specific CRUD. You could just keep in mongo the ID of the user who created the data/row and accordingly, validate on PUT/DELETE methods the user who's trying to do those actions with the request.user or request.user.id, depending of what you've put in your serialized data. And you could also validate that in the frontend part of your site.
Hi, I would like to elaborate more on this. Similar problem is also mentioned here https://github.com/OptimalBits/node_acl/issues/120
I am working on a system that has a slightly more complex access management. Imagine a service provided in multiple countries. I want to have superadmin role for managing the whole system. Then i want to have country-based admin(s) that will be only able to manage the service in a specific country only.
So the roles are "admin" and "country admin", where admin can manage all resources, but country admin(s) can manage only specific resource(s) identified by, let's say, "country_id".
Now I can of course create roles "country_admin_42" for users being able to manage country with id=42, but if there were larger amount of resources, that would also mean the same amount of user roles. Is there a better practice to this?
@carera In the setup that you explained, why do you need to have a role for every resource? why cant you just add all the resources for one country to just that role?
@manast What I meant by my setup is that I have to create role for every country. if there were (theoretically) 10k countries, there would be 10k roles. Is that a correct practice?
I guess so, but I think you should bring up a realistic example, so that we can understand better how to tract it (since there are just around 190 countries). Having 10k roles may or may not be a good design choice but it depends a lot on how data is modeled, user access patters, etc, etc.
There are plenty of real world examples. For any project based application (where users have permissions for particular projects), this design does not seem tenable. For example, let's say we were building Github. Each user has permissions for each project they belong to. In this case, project is the resource we want to lock down, and thus we need to create a role for each project. So, the the node_acl design, we'd have X mongo collections, where X = the number of Github projects?
Honestly, I did not implement the mongo backend, but what you say is correct, using a role per collection is not a very efficient representation of roles, and and whole idea of acl is to be able to have many many roles.
@marbemac If you set the useSingle to true in acl.mongodbBackend() only 1 collection will be created and all roles will be documents in this collection
https://github.com/OptimalBits/node_acl#backend-db-prefix-
var mongodb = require('mongodb'); mongodb.connect("mongodb://127.0.0.1:27017/acltest", function(error, db) { var mongoBackend = new acl.mongodbBackend(db, 'acl_', true); });
@devinea This is key, thanks for the tip! IMHO true should be the default - what's the argument for defaulting to creating a collection per role?
@hiroshitash you can use CASL for row based access.
@jonmassot just my 5 cents :) It's a right approach to use ACL to test per record permission. Because if ACL knows all restrictions you can request database for records which can be accessed by a particular user (what I think is a super awesome). Why should you write additional query conditions if ACL can do this for you? This is what I implemented in CASL
