It is possible to reject requests by specifying a condition with the authorize
configuration property.
authorize
uses the same format as the
filter
query
argument, except
parameters, including
server-specific parameters,
are specified instead of collection's attributes.
In the example below, delete commands will be rejected.
authorize:
command:
_neq: delete
With authorize
, one can define
role-based access control
or other authorization design.
The example below gives read-only permissions to the reader
group, read-write
permissions to the manager
group, and full permissions to the admin
group.
authorize:
- command: find
user_group: reader
- command:
_in: [find, patch]
user_group: manager
- user_group: admin
It is also possible to directly use functions.
authorize:
params:
key: (getSecretKey())
One can specify collection-specific authorization with the
collection.authorize
configuration property.
The format is the same as authorize
, except model
can also be used.
In the example below, requests on example_collection
will be rejected unless
example_collection.age
is over 30
or example_collection.public
is true
.
collections:
example_collection:
authorize:
- model:
age:
_gte: 30
- model:
public: true
If the model is being modified, attributes are checked both before and after
modification. In other words, it is checked on both previousmodel
and model
parameters.
In the example below, requests will be prevented from fetching any
example_collection
with example_collection.locked
true
. It will also
prevent requests from setting example_collection.locked
to true
or creating
such a model.
collections:
example_collection:
authorize:
model:
locked: false
Using this feature allows you to define access control lists restricting the permissions of a model based on the value of its attributes.
Functions cannot use the parameters
model
, value
, previousmodel
nor previousvalue
. However, it is possible
to target another attribute by using a model.ATTRIBUTE
string as value.
In the example below, requests will be rejected on any example_collection
unless example_collection.created_time
equals
example_collection.updated_time
.
collections:
example_collection:
authorize:
model:
created_time: model.updated_time
Readonly attributes cannot be modified. Trying to do so won't report any error, but the attribute value will not change.
They can be specified using attribute.readonly
.
collections:
example_collection:
attributes:
example_attribute:
readonly: true
An attribute can be readonly based on a condition, by using a
function in attribute.readonly
.
In the example below, the model's name
attribute will be readonly only if its
locked
attribute is true
.
collections:
example_collection:
attributes:
name:
readonly: (model.locked === true)
locked:
type: boolean