PII网络示例,想要授权其他参与者

时间:2018-04-30 22:44:05

标签: hyperledger-composer

所以我使用的是pii示例网络。最初,网络只有一个参与者是会员,会员授权或撤销其信息访问其他会员。

但是,我想更改并添加新的参与者,比如说“医生”,该会员可以授权或撤销对医生参与者的访问权限。

问题在于,当我添加新的医生参与者并想要授权时,该交易不会在医生参与者中搜索,而是在会员参与者中搜索。

那么,任何人都可以帮助我指出我应该改变什么吗?这是逻辑还是定义?或者什么?

pii.cto 

namespace org.acme.pii

concept Address {
  o String street
  o String house
  o String city
  o String county
  o String country
  o String zip
}

participant Member identified by email {
  o String email
  o String firstName
  o String lastName
  o DateTime dob optional
  o Address address optional
  o String[] authorized optional
}

participant Doctor identified by email {
  o String email
  o String firstName
  o String lastName
  o DateTime dob optional
  o Address address optional
  o String[] authorized optional
}

abstract transaction MemberTransaction {
  o String memberId
}

abstract transaction DoctorTransaction {
  o String memberId
}

transaction AuthorizeAccess extends MemberTransaction {
}

transaction RevokeAccess extends MemberTransaction {
}

event MemberEvent {
  o MemberTransaction memberTransaction
}

Logic.js 

async function authorizeAccess(authorize) {  // eslint-disable-line no-unused-vars

    const me = getCurrentParticipant();
    console.log('**** AUTH: ' + me.getIdentifier() + ' granting access to ' + authorize.memberId );

    if(!me) {
        throw new Error('A participant/certificate mapping does not exist.');
    }

    // if the member is not already authorized, we authorize them
    let index = -1;

    if(!me.authorized) {
        me.authorized = [];
    }
    else {
        index = me.authorized.indexOf(authorize.memberId);
    }

    if(index < 0) {
        me.authorized.push(authorize.memberId);

        // emit an event
        const event = getFactory().newEvent('org.acme.pii', 'MemberEvent');
        event.memberTransaction = authorize;
        emit(event);

        // persist the state of the member
        const memberRegistry = await getParticipantRegistry('org.acme.pii.Member');
        await memberRegistry.update(me);
    }
}

/**
 * A Member revokes access to their record from another Member.
 * @param {org.acme.pii.RevokeAccess} revoke - the RevokeAccess to be processed
 * @transaction
 */
async function revokeAccess(revoke) {  // eslint-disable-line no-unused-vars

    const me = getCurrentParticipant();
    console.log('**** REVOKE: ' + me.getIdentifier() + ' revoking access to ' + revoke.memberId );

    if(!me) {
        throw new Error('A participant/certificate mapping does not exist.');
    }

    // if the member is authorized, we remove them
    const index = me.authorized ? me.authorized.indexOf(revoke.memberId) : -1;

    if(index>-1) {
        me.authorized.splice(index, 1);

        // emit an event
        const event = getFactory().newEvent('org.acme.pii', 'MemberEvent');
        event.memberTransaction = revoke;
        emit(event);

        // persist the state of the member
        const memberRegistry = await getParticipantRegistry('org.acme.pii.Member');
        await memberRegistry.update(me);
    }
}

permissions.acl 

rule AuthorizeAccessTransaction {
    description: "Allow all participants to submit AuthorizeAccess transactions"
    participant: "ANY"
    operation: CREATE
    resource: "org.acme.pii.AuthorizeAccess"
    action: ALLOW
}

rule RevokeAccessTransaction {
    description: "Allow all participants to submit RevokeAccess transactions"
    participant: "ANY"
    operation: CREATE
    resource: "org.acme.pii.RevokeAccess"
    action: ALLOW
}

rule OwnRecordFullAccess {
    description: "Allow all participants full access to their own record"
    participant(p): "org.acme.pii.Member"
    operation: ALL
    resource(r): "org.acme.pii.Member"
    condition: (r.getIdentifier() === p.getIdentifier())
    action: ALLOW
}

rule DoctorAccess {
    description: "Allow all participants full access to their own record"
    participant(p): "org.acme.pii.Doctor"
    operation: ALL
    resource(r): "org.acme.pii.Doctor"
    condition: (r.getIdentifier() === p.getIdentifier())
    action: ALLOW
}

rule ForeignRecordConditionalAccess {
    description: "Allow participants access to other people's records if granted"
    participant(p): "org.acme.pii.Member"
    operation: ALL
    resource(r): "org.acme.pii.Member"
    condition: (r.authorized && r.authorized.indexOf(p.getIdentifier()) > -1)
    action: ALLOW
}

rule SystemACL {
    description:  "System ACL to permit all access"
    participant: "org.hyperledger.composer.system.Participant"
    operation: ALL
    resource: "org.hyperledger.composer.system.**"
    action: ALLOW
}

rule NetworkAdminUser {
    description: "Grant business network administrators full access to user resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "**"
    action: ALLOW
}

rule NetworkAdminSystem {
    description: "Grant business network administrators full access to system resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "org.hyperledger.composer.system.**"
    action: ALLOW
}

queries.qry 

query selectMembers {
  description: "Select all members"
  statement:
      SELECT org.acme.pii.Member
}

1 个答案:

答案 0 :(得分:0)

好的,我明白了。 在acl文件中,我只需要它来改变

rule ForeignRecordConditionalAccess {
    description: "Allow participants access to other people's records if granted"
    participant(p): "org.acme.pii.Doctor"
    operation: ALL
    resource(r): "org.acme.pii.Member"
    condition: (r.authorized && r.authorized.indexOf(p.getIdentifier()) > -1)
    action: ALLOW
}
相关问题
最新问题