Configuration - Limits
Eicrud provides various ways to limit what users can do in your application.
Note
Most of these limits are enforced at the controller level. This means they will only apply when calling operations from the client.
CrudSecurity
export function getSecurity(entity: string): CrudSecurity {
return {
maxItemsInDb: 1000,
maxItemsPerUser: 10,
additionalItemsInDbPerTrustPoints: 1,
alwaysExcludeFields: ['password']
skipQueryValidationForRoles: [],
alwaysAllowedCrudOptions: [],
//...
}
}
maxItemsInDb
Limit how many instances of an entity can be stored in DB. If maxItemsInDb
is exceeded, calls to CrudService->$create
will throw an error.
maxItemsPerUser
Limit how many instances of an entity a user can create.
Note
You can set a default maxItemsPerUser
for all your services in the validation options.
additionalItemsInDbPerTrustPoints
Add x
additional allowed instances per user's trust points.
alwaysExcludeFields
Always exclude specified entity fields from find operations.
skipQueryValidationForRoles
Disable read, update and delete query validation for specified roles (and their parents). See this issue for more details.
alwaysAllowedCrudOptions
Always allow specified CrudOptions (for all roles).
CrudSecurityRights
maxBatchSize
Allow a specific role to perform batch operations.
Note
You might want to keep batch size low for large entities. A large batch size will cause your server to use more RAM to operate.
fields
Limit the entity fields returned in find operations (to users of specified role).
CmdSecurity
const getCmdSecurity = (command, user): CmdSecurity => {
return {
maxUsesPerUser: 100,
additionalUsesPerTrustPoint: 1,
minTimeBetweenCmdCallMs: 500, //ms
secureOnly: true,
nonAdminQueryLimit: 50,
adminQueryLimit: 200
allowGetMethod?: boolean;
//...
}
}
maxUsesPerUser
Limit how many times a user can call the command.
additionalUsesPerTrustPoint
Add x
additional uses per user's trust points.
minTimeBetweenCmdCallMs
Minimum time required between cmd calls (for a specific user).
secureOnly
Indicate that the command can only be called in secure mode (POST). Secure mode always fetches the ctx.user
from the database and never from the cache.
nonAdminQueryLimit
The default CrudOptions
->limit
set when calling the command (for non-admin users).
adminQueryLimit
The default CrudOptions
->limit
set when calling the command (for admin users).
Note
CrudOptions
->limit
can be used in commands to return limited results. See this tutorial for more info.
allowGetMethod
Allow the command to be used with a GET request. It is usefull for triggering a command with a simple URL.
Warning
CSRF protection is not enforced on GET requests, make sure your command doesn't change your application state when enabling this.
LimitOptions
const limitOptions: LimitOptions = {
nonAdminQueryLimit: 40,
adminQueryLimit: 400,
nonAdminQueryLimit_IDS: 4000,
adminQueryLimit_IDS: 8000,
maxFindInIdsLength: 250,
}
@Injectable()
export class MyConfigService extends CrudConfigService {
constructor(/* ... */) {
super({ limitOptions, /* ... */})
}
//..
}