pii-network - acl permission-授权/撤销访问网络,但不授予他自己

时间:2017-09-06 11:26:26

标签: acl hyperledger hyperledger-composer access-rules

我正在使用Hyperledger Composer的在线Playground(https://composer-playground.mybluemix.net/)。

我想从“pii-network”示例修改acl文件。

我想只有在参与者想要授权其他成员而非他自己时才能获得授权访问权限......我该怎么做? 我对ACL文件进行了以下更改,但它不能像我预期的那样工作(它授权/撤销任何人而不是没有自己的人):

rule AuthorizeAccessTransaction {
   description: "Allow all participants to submit AuthorizeAccess transactions"
   participant(p): "org.acme.model.Doctor"
   operation: CREATE
   resource(r): "org.acme.model.AuthorizeAccess"
   condition: (r.getIdentifier() != p.getIdentifier())
   action: ALLOW 
}
rule RevokeAccessTransaction {
   description: "Allow all participants to submit RevokeAccess transactions"
   participant(p): "org.acme.model.Doctor"
   operation: CREATE
   resource(r): "org.acme.model.RevokeAccess"
   condition: (r.getIdentifier() != p.getIdentifier())
   action: ALLOW
}
rule OwnRecordFullAccess {
   description: "Allow all participants full access to their own record"
   participant(p): "org.acme.model.Doctor"
   operation: ALL
   resource(r): "org.acme.model.Doctor"
   condition: (r.getIdentifier() === p.getIdentifier())
   action: ALLOW
}
rule ForeignRecordConditionalAccess {
   description: "Allow participants access to other people's records if granted"
   participant(p): "org.acme.model.Doctor"
   operation: ALL
   resource(r): "org.acme.model.Doctor"
   condition: (r.authorized && r.authorized.indexOf(p.getIdentifier()) > -1)
   action: ALLOW
}

rule SystemACL {
   description: "System ACL to permit all access"
   participant: "org.hyperledger.composer.system.Participant"
   operation: ALL
   resource: "org.hyperledger.composer.system.**"
   action: ALLOW

}

我按照https://www.youtube.com/watch?v=VTX-9VyO6OU&feature=youtu.be的说明操作,然后像我展示的那样更改了.acl文件

有谁知道这是什么问题?我错了什么?

我在这里也显示了cto文件:

namespace org.acme.model

concept Specialization {
o String hospital
o String hospital_ward //reparto ospedaliero
o String city 
o String county
o String zip
o String field //campo medico di specializzazione

} 

participant Doctor identified by username {
o String username
o String firstName
o String lastName
o Specialization specialization 
o DateTime dob optional
o String[] authorized optional

} 

abstract transaction DoctorTransaction {
o String username

} 

transaction AuthorizeAccess extends DoctorTransaction {

} 

transaction RevokeAccess extends DoctorTransaction {

} 

event DoctorEvent {
o DoctorTransaction doctorTransaction

}

1 个答案:

答案 0 :(得分:0)

将关系用作授权用户的数据类型。

participant Doctor identified by username {
o String username
o String firstName
o String lastName
o Specialization specialization 
o DateTime dob optional
--> Doctor[] authorized optional

然后使用此功能检查Permissions.acl中的条件

rule ForeignRecordConditionalAccess {
   description: "Allow participants access to other people's records if granted"
   participant(p): "org.acme.model.Doctor"
   operation: ALL
   resource(r): "org.acme.model.Doctor"
   condition: (
    r.authorized.some(function (doc){
      return doc.$identifier === p.$identifier;
    })
   )
   action: ALLOW
}
相关问题
最新问题