在将Casl用于一些简单的项目之后,我正在尝试实现更复杂的东西。我正在尝试将Roles with persisted permissions与网站上描述的JWT混合使用。
对于此基本示例,我尝试授予 User 主题 read 操作权限,但仅授予属于组织一部分的用户条目:
我的用户模型
interface UserAttrs {
email: string;
firstName: string;
lastName: string;
password: string;
role: RoleDoc;
organization: OrganizationDoc;
}
interface UserModel extends mongoose.Model<UserDoc> {
build(attrs: UserAttrs): UserDoc;
}
interface UserDoc extends mongoose.Document {
email: string;
firstName: string;
lastName: string;
active: boolean;
password: string;
createdAt: Date;
updatedAt: Date;
role: RoleDoc;
organization: OrganizationDoc;
}
const userSchema = new mongoose.Schema(
{
email: {
type: String,
required: true,
unique: true,
trim: true,
match: [/.+\@.+\..+/, 'Please fill a valid email address'],
},
firstName: {
type: String,
required: true,
trim: true,
},
lastName: {
type: String,
required: true,
trim: true,
},
active: {
type: Boolean,
default: true,
required: true,
},
password: {
type: String,
required: true,
},
createdAt: {
type: Date,
required: true,
default: Date.now,
},
updatedAt: {
type: Date,
required: true,
default: Date.now,
},
role: {
type: mongoose.Schema.Types.ObjectId,
required: true,
ref: 'Role',
},
organization: {
type: mongoose.Schema.Types.ObjectId,
ref: 'Organization',
},
},
{
toJSON: {
transform(_doc, ret) {
ret.id = ret._id;
delete ret._id;
delete ret.password;
delete ret.__v;
},
},
}
);
userSchema.pre('save', async function (done) {
if (this.isModified('password')) {
const hashed = await Password.toHash(this.get('password'));
this.set('password', hashed);
this.set('updatedAt', Date.now);
}
done();
});
userSchema.statics.build = (attrs: UserAttrs) => {
return new User(attrs);
};
const User = mongoose.model<UserDoc, UserModel>('User', userSchema);
export { User };
组织模型
interface OrganizationAttrs {
id: string;
name: string;
}
interface OrganizationModel extends mongoose.Model<OrganizationDoc> {
build(attrs: OrganizationAttrs): OrganizationDoc;
}
export interface OrganizationDoc extends mongoose.Document {
name: string;
version: number;
}
const organizationSchema = new mongoose.Schema(
{
name: {
type: String,
required: true,
unique: true,
trim: true,
},
},
{
toJSON: {
transform(_doc, ret) {
ret.id = ret._id;
delete ret._id;
},
},
}
);
organizationSchema.set('versionKey', 'version');
organizationSchema.plugin(updateIfCurrentPlugin);
organizationSchema.statics.findByEvent = (event: {
id: string;
version: number;
}) => {
return Organization.findOne({
_id: event.id,
version: event.version - 1,
});
};
organizationSchema.statics.build = (attrs: OrganizationAttrs) => {
return new Organization({
_id: attrs.id,
name: attrs.name,
});
};
const Organization = mongoose.model<OrganizationDoc, OrganizationModel>(
'Organization',
organizationSchema
);
export { Organization };
角色模型
interface RoleAttrs {
name: string;
permissions: string;
organization: OrganizationDoc;
}
interface RoleModel extends mongoose.Model<RoleDoc> {
build(attrs: RoleAttrs): RoleDoc;
}
export interface RoleDoc extends mongoose.Document {
name: string;
permissions: string;
organization: OrganizationDoc;
}
const roleSchema = new mongoose.Schema(
{
name: {
type: String,
required: true,
unique: true,
trim: true,
},
permissions: {
type: String,
required: true,
trim: true,
},
organization: {
type: mongoose.Schema.Types.ObjectId,
required: true,
ref: 'Organization',
},
},
{
toJSON: {
transform(_doc, ret) {
ret.id = ret._id;
delete ret._id;
delete ret.__v;
},
},
}
);
roleSchema.pre('save', async function (done) {
done();
});
roleSchema.statics.build = (attrs: RoleAttrs) => {
return new Role(attrs);
};
const Role = mongoose.model<RoleDoc, RoleModel>('Role', roleSchema);
export { Role };
角色的权限字段存储为字符串。用户登录后,我将权限添加到JWT令牌
const existingUser = await User.findOne({ email, active: true })
.populate('role')
.populate('organization');
// Check if user is valid...
// userPermissions = [{ action: 'read', subject: 'User', conditions: { organization: '{{organization.id}}' }, }, ](as a string)
const userPermissions = Mustache.render(
existingUser.role.permissions,
existingUser
);
console.log(userPermissions);
// result ==> [{"action":"read","subject":"User","conditions":{"organization":"5f4bc664e27664265cb033d7"}}]
// Genereate json web token JWT
const userJWT = jwt.sign(
{
id: existingUser.id,
email: existingUser.email,
organizationId: existingUser.organization.id,
userRolePermissions: userPermissions,
},
process.env.JWT_KEY!
);
然后在中间件中,我创建类似于here
的功能const { id, email, organizationId, userRolePermissions } = jwt.verify(
req.session.jwt,
process.env.JWT_KEY!
) as Token;
const currentUser: UserPayload = {
id: id,
email: email,
organizationId: organizationId,
userRolePermissions: createAbility(JSON.parse(userRolePermissions)),
};
createAbility的结果是
i {
s: false,
v: [Object: null prototype] {},
p: [Object: null prototype] {},
g: [Object: null prototype] {
User: [Object: null prototype] {
read: [Object: null prototype] {
'0': t {
t: [Function],
i: undefined,
action: 'read',
subject: 'User',
inverted: false,
conditions: { organization: '5f4bc8d85dc07d269e4f303d' },
reason: undefined,
fields: undefined
}
}
}
},
j: [
{
action: 'read',
subject: 'User',
conditions: { organization: '5f4bc8d85dc07d269e4f303d' }
}
],
O: {
conditionsMatcher: [Function],
fieldMatcher: [Function: j],
resolveAction: [Function: u]
}
}
如果我执行
const organizationId = req.params.organizationId as Object;
const users = await User.find({ organization: organizationId });
// req.currentUser contain the user with the userRolePermissions above
ForbiddenError.from(req.currentUser!.userRolePermissions).throwUnlessCan(
'read',
subject('User', users)
);
我收到消息:“无法对“用户”执行“读取””。我们如何处理ref字段?
我不知道它是否可以解决问题,但是如果我将权限更改为:
有效。
如果我在用户上填充组织字段(然后我将有一个对象),casl的工作原理?我是否应该在角色的权限字段中制定两个规则(如果一个则填充一个规则,否则填充一个规则)?