Access Control in VTECX (part zero)
Currently, I’ve been assigned to a task where I’ve told to add ACL to our current project (Frankly speaking this is the first time I’ve heard the term ACL 😑)
So what is this ACL and how can I implement this in my current project (the first question that arises in my mind)
ACL: After some searching, I’ve come to the point that ACL stands for Access Control List, and it is used to limit the user to access specific resources.
Why ACL: vtecx manages resources in hierarchical order. So it's more likely a filesystem in Linux or Windows architecture. Just like adding a directory inside a parent directory. So what we want is to add permission to these folders and subfolders for various users.
So let's test whats vtecx made for us to implement ACL.
Scenario: let's assume that we have got a resource named product
and we have three types of users eg: admin
, sales manager
, customer
admin: can view, add, edit, delete productsales manager: can view, add productcustomer: can view product
So our process flow could be like
- Create some users and assign them to a group then set permission to that group.
Or we could
- Create some users and attach them as a contributor to our products. Obviously, we’ll attach permission to those contributors.
In this part, we’ll see how we can implement contributor permission. Later on, we’ll see the group permission.
Add user
post http://localhost:8000/d/?_adduserByAdmin
Let's add a user named Mr. Customer.
We’ll send a feed to _addUserByAdmin
API.
This piece of code will add a user named Mr. Customer
some tips about the API
* Admin user can only send a request to _addUserByAdmin
. To check your role send a request to get d/_group/$admin?f&x
and match your uid
there.
* And you can add multiple users by adding multiple objects to the request feed contributor :[{uri:’…’, name:’…’}, {uri:’…’, name:’…’}, …]
User List
We can fetch our users’ list by sending a request to get /d/_user?f&x
. We’ll have all user entries from the response as well as our Mr. Customer
entry as like below
So we’ve already assumed that we’ve products
now we have users
We can check all our product entry by get /d/product?f&x
.
We can check all our product ACL by get /d/product?e&x
. The response may not include any ACL for this request now but by default, it has all privileges for the admin
user.
Now we want to give Mr. Customer
read only
permission.
So we gonna send a request to put /d/?_post
. And the request feed will be like
contributor:
- See we’ve added Mr. Customer as a contributor and s/he only got Read access
- We’ve added two other groups $admin and $useradmin with all permissions (C=create, R=read, U=update, D=delete). At the time of this writing, it's necessary to add these two group as contributors, cause you may end up in a situation like the admin user can’t access the product(which is pretty confusing 😑)
link:
- you may find the
___rel
and___href
from/d/your_resource_name?e&x
Now that If we logged in with the credential of Mr. Customer, we can see all the product entry we’ve got. On the other hand, if Mr. Customer tries to update or delete any product it’ll receive 403 forbidden response
{feed:{title:Access denied. uid = 69920, uri = /product/1609655892318”}}
So, we’ve successfully limited the access for a user.
Maybe I’ve said much already, so that's it for today. In the next part of this series, we’ll discuss more about ACL.
-Thanks for your time 😊
- Thanks to my Japanese and Bangladeshi teammates for their support 😊