我试图在ACL规则的条件下编写一个更复杂的逻辑,就像p.getIdentifier() == r.getIdentifier()一样,因为在我的错中它是不可能的。
这些是我的模特:
participant Customer identified by customerID {
o String customerID
o String name
...
}
asset A identified by aID {
o String aID
--> Customer customer
}
asset B identified by bID {
o String bID
--> A a
}
现在,我想让Customer访问权限查看所有B资产,但仅限于与A的关系引用资产的情况,该资产与实际参与者有关系Customer,“已登录”。
汇总逻辑:从资产B到A,然后从A到Customer。
因此,在这种情况下,我无法直接比较Customer和B的标识符,必须经过A。因此,我想通过script.js文件中调用的函数来评估访问权限:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: (evaluateAccess(p,r))
action: ALLOW
}
以下是script.js:
async function evaluateAccess(p,r) {
try {
const bRegistry = await getAssetRegistry('org.xxx.test.asset.B');
const b = await bRegistry.get(r.getIdentifier());
const aRegistry = await getAssetRegistry('org.xxx.test.asset.A');
const a = await aRegistry.get(b.a.getIdentifier());
if (p.getIdentifier() === a.customer.getIdentifier()) {
return true;
}
} catch (error) {
console.log(error);
}
}
但我收到错误Error: The runtime API is not available。
我认为错误的方式,是不是可以用功能评估访问? 如果你不能只比较标识符,你是如何处理访问规则的?
答案 0 :(得分:0)
客户应该是参与者而不是资产:
+.........-
-+--------.
答案 1 :(得分:0)
你应该能够做到:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: ( (p.getIdentifier() === r.a.customer.getIdentifier())
action: ALLOW
}
但p也需要READ访问才能阅读'资产资源' A' (首先检查标识符等): - )