next-crud icon indicating copy to clipboard operation
next-crud copied to clipboard
verified publisher icon premieroctet

Permissions

Open MicahPotter opened this issue 3 years ago • 4 comments

I'm not seeing a way to protect certain crud endpoints. Say a user needs to update their own information, but should not have permission to update another user's info. Is there a built in way to do that?

MicahPotter avatar Oct 04 '22 01:10 MicahPotter

Hello @MicahPotter ! You can use the onRequest callback to plug your acl logic https://next-crud.js.org/api-docs/callbacks#onrequest

baptadn avatar Oct 05 '22 12:10 baptadn

Hey @shinework

I have been trying to use the onRequest callback, and manipulating the query.


async onRequest(req, res, options?) {
    const query = req.query
    
    // Do some stuff to the query
    Object.assign(req.query, {
        where:  {...},
    });
    
    console.log(query) // The query has everything I would now expect
  
    // I now want next-crud to continue to do its thing with the manipulated query
   
    return req // Do we just return the req here? 
}

I am missing something obvious I know, but wondered if you could help with an example?

mikerudge avatar Nov 01 '22 11:11 mikerudge

To clarify, I was looking for a way to automatically add a filter for certain models.

So I am hoping I can update the request query.where and then pass that back to the next-crud.

The req I have looks something like this:

const req = {
	baseUrl: "",
	originalUrl:
		"/api/users?where=%7B%22role%22%3A%7B%22%24eq%22%3A%22ADMIN%22%7D%7D&include=",

	params: { "0": "/api/users" },
	query: {
		where: '{"role":{"$eq":"ADMIN"}}',
		include: "",
		" nextcrud": ["users"],
	},
}

Do we need to update both the originalUrl and the query object?

mikerudge avatar Nov 02 '22 16:11 mikerudge

Oh, sorry, looks like this is already being discussed in https://github.com/premieroctet/next-crud/issues/44

mikerudge avatar Nov 07 '22 17:11 mikerudge