Security - Roles
Every ability in Eicrud is attached to a role. Roles are dynamically assigned to users via the property CrudUser->role.
eicrud.roles.ts
import { CrudRole } from "@eicrud/core/config";
export const roles: CrudRole[] = [
{
name: 'admin',
isAdminRole: true,
canMock: true,
inherits: ['user']
},
{
name: 'user',
inherits: ['guest']
},
{
name: 'guest'
},
]
Roles must be registered in the config service.
@Injectable()
export class MyConfigService extends CrudConfigService {
constructor(...) {
...
this.addRoles(roles);
}
}
Authorization
Eicrud's authorization checks role ability from root to branches:
user.role: defineAbility + check against request.user.role->inherits[0]: defineAbility + check against request.inherit->inherits[0]: defineAbility + check against request.inherit->inherits[1]- ...
user.role->inherits[1]- ...
The authorization stops going up the tree whenever a role passes the check, it also skips already-checked roles.
Note
This means cannot rules from inherited roles have no effect if the child role passes the authorization check.
Guest Role
Your application needs a guest role to define unauthenticated users' abilities. It is set the config service's constructor and defaults as 'guest'.