npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

angularjs-acl

v0.1.2

Published

Provides a lightweight and flexible ACL implementation for privileges management in AngularJS

Downloads

26

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

styletstylet

Keywords

aclangular

Readme

Angular ACL

Build Status License

About

Angular ACL (Access Control List) is a service that allows you to protect/show content based on the current user's assigned role(s), and those role(s) permissions (abilities).

For the purposes of this documentation:

  • a resource is an object to which access is controlled.
  • a role is an object that may request access to a Resource.

Put simply, roles request access to resources. For example, if a parking attendant requests access to a car, then the parking attendant is the requesting role, and the car is the resource, since access to the car may not be granted to everyone.

Through the specification and use of an ACL, an application may control how roles are granted access to resources.

Quick Examples

First you need to install this library :) It's available via bower or npm:

  • npm install --save angularjs-acl
  • bower install --save angularjs-acl and add a <script> to your index.html:
<!-- For bower -->
<script src="/bower_components/angularjs-acl/dist/acl.js"></script>

<!-- For npm -->
<script src="/node_modules/angularjs-acl/dist/acl.js"></script>

Set Data

Add ng-acl to your app module's dependencies & setup the AclService in run() block.

angular.module('myApp', ['ng-acl']);

app.run(['AclService', function (AclService) {
    //All these actions you also can do in the middle of app execution
    AclService.addRole('guest');
    AclService.addRole('user', 'guest');
    AclService.addRole('admin', 'user');

    AclService.addResource('Post');
    AclService.addResource('Users');
    AclService.addResource('AdminPanel');

    AclService.allow('guest', 'Post', 'view');

    //Users can edit edit their own posts & view it because user inherits all guest permissions
    AclService.allow('user', 'Post', 'edit', function (role, resource, privilege) {
        return resource.authorId === role.id;
    });

    //Full access to all actions that available for Post
    AclService.allow('admin', 'Post');
    AclService.allow('admin', 'AdminPanel');

    //Let's assume that you have some user object that implements AclRoleInterface. This is optional feature.
    var user = {
        id: 1,
        name: 'Duck',
        getRoles: function () {
            return ['user'];
        },
    };
    AclService.setUserIdentity(user);
}]);

Protect a route

If the current user tries to go to the /admin_panel route, they will be redirected because the current user is a user, and AdminPanel is not one of a member role's abilities.

However, when the user goes to /posts/2, route will work as normal, since the user has permission.

app.config(['$routeProvider', function ($routeProvider) {
  $routeProvider
    .when('/admin_panel', {
      resolve : {
        'acl' : ['$q', 'AclService', function($q, AclService){
          if(AclService.can('AdminPanel')){
            // Has proper permissions
            return true;
          } else {
            // Does not have permission
            return $q.reject('Unauthorized');
          }
        }]
      }
    });
    .when('/posts/:id', {
      resolve : {
        'acl' : ['$q', 'AclService', function($q, AclService){
          if (AclService.can('Post', 'view')) {
            return true;
          } else {
            return $q.reject('Unauthorized');
          }
        }]
      }
    });
}]);

app.run(['$rootScope', '$location', function ($rootScope, $location) {
  // If the route change failed due to our "Unauthorized" error, redirect them
  $rootScope.$on('$routeChangeError', function(current, previous, rejection){
    if(rejection === 'Unauthorized'){
      $location.path('/');
    }
  })
}]);

Manipulate a Template

The edit link in the template below will be shown, because the current user is a user, and Post which was created by our user is one of a his role's abilities.

Controller
app.controller('DemoCtrl', ['$scope', 'AclService', function ($scope, AclService) {
    $scope.can = AclService.can;
    $scope.post = {
        id: 1,
        authorId: 1,
        name: 'Demo post',
        getResourceId: function () { //AclResourceInterface implementation
            return 'Post';
        }
    };
}]);
Template
<h1>{{ post.name }}</h1>
<a ng-href="posts/{{ post.id }}/edit" ng-show="can(post, 'edit')">Edit</a>

How secure is this?

A great analogy to ACL's in JavaScript would be form validation in JavaScript. Just like form validation, ACL's in the browser can be tampered with. However, just like form validation, ACL's are really useful and provide a better experience for the user and the developer. Just remember, any sensitive data or actions should require a server (or similar) as the final authority.

Example Tampering Scenario

The current user has a role of "guest". A guest is not able to "create_users". However, this sneaky guest is clever enough to tamper with the system and give themselves that privilege. So, now that guest is at the "Create Users" page, and submits the form. The form data is sent the the server and the user is greeted with an "Access Denied: Unauthorized" message, because the server also checked to make sure that the user had the correct permissions.

Any sensitive data or actions should integrate a server check.