Access Control in VTECX (part zero)
Currently, I’ve been assigned to a task where I’ve told to add ACL to our current project (Frankly speaking this is the first time I’ve heard the term ACL 😑)
So what is this ACL and how can I implement this in my current project (the first question that arises in my mind)
ACL: After some searching, I’ve come to the point that ACL stands for Access Control List, and it is used to limit the user to access specific resources.
Why ACL: vtecx manages resources in hierarchical order. So it's more likely a filesystem in Linux or Windows architecture. Just like adding a directory inside a parent directory. So what we want is to add permission to these folders and subfolders for various users.
So let's test whats vtecx made for us to implement ACL.
Scenario: let's assume that we have got a resource named product
and we have three types of users eg: admin, sales manager, customer
admin: can view, add, edit, delete productsales manager: can view, add productcustomer: can view product
So our process flow could be like
- Create some users and assign them to a group then set permission to that group.
Or we could
- Create some users and attach them as a contributor to our products. Obviously, we’ll attach permission to those contributors.
In this part, we’ll see how we can implement contributor permission. Later on, we’ll see the group permission.
Add user
post http://localhost:8000/d/?_adduserByAdminLet's add a user named Mr. Customer.
We’ll send a feed to _addUserByAdmin API.
This piece of code will add a user named Mr. Customer
some tips about the API
* Admin user can only send a request to _addUserByAdmin. To check your role send a request to get d/_group/$admin?f&x and match your uid there.
* And you can add multiple users by adding multiple objects to the request feed contributor :[{uri:’…’, name:’…’}, {uri:’…’, name:’…’}, …]
User List
We can fetch our users’ list by sending a request to get /d/_user?f&x. We’ll have all user entries from the response as well as our Mr. Customer entry as like below
So we’ve already assumed that we’ve products now we have users
We can check all our product entry by get /d/product?f&x.
We can check all our product ACL by get /d/product?e&x. The response may not include any ACL for this request now but by default, it has all privileges for the admin user.
Now we want to give Mr. Customer read only permission.
So we gonna send a request to put /d/?_post. And the request feed will be like
contributor:
- See we’ve added Mr. Customer as a contributor and s/he only got Read access
- We’ve added two other groups $admin and $useradmin with all permissions (C=create, R=read, U=update, D=delete). At the time of this writing, it's necessary to add these two group as contributors, cause you may end up in a situation like the admin user can’t access the product(which is pretty confusing 😑)
link:
- you may find the
___reland___hreffrom/d/your_resource_name?e&x
Now that If we logged in with the credential of Mr. Customer, we can see all the product entry we’ve got. On the other hand, if Mr. Customer tries to update or delete any product it’ll receive 403 forbidden response
{feed:{title:Access denied. uid = 69920, uri = /product/1609655892318”}}
So, we’ve successfully limited the access for a user.
Maybe I’ve said much already, so that's it for today. In the next part of this series, we’ll discuss more about ACL.
-Thanks for your time 😊
- Thanks to my Japanese and Bangladeshi teammates for their support 😊
