Skip to content

Latest commit

 

History

History
113 lines (76 loc) · 2.88 KB

config.policies.md

File metadata and controls

113 lines (76 loc) · 2.88 KB

Policy Mapping (ACL) Configuration

Note: These docs are now for version 0.9.0 of Sails. Please visit here for 0.8.x documentation.

Your app's ACL (access control list) is located in config/policies.js.

Applying a Policy

To a Specific Action

To apply a policy to a specific action in particular, you should specify it on the right-hand side of that action:

{
  ProfileController: {
      edit: 'isLoggedIn'
  }
}

To an Entire Controller

To set the default policy mapping for a controller, use the * notation:

Note: Default policy mappings do not "cascade" or "trickle down." Specified mappings for the controller's actions will override the default mapping. In this example, isLoggedIn is overriding false.

{
  ProfileController: {
    '*': false,
    edit: 'isLoggedIn'
  }
}

Globally

Note: Global policy mappings do not "cascade" or "trickle down" either. Specified mappings, whether they're default controller mappings or for specific actions, will ALWAYS override the global mapping. In this example, isLoggedIn is overriding false.

{

  // Anything you don't see here (the unmapped stuff) is publicly accessible
  '*': true,

  ProfileController: {
    '*': false,
    edit: 'isLoggedIn'
  }
}

Built-in policies

true

This is the default policy mapped to all controllers and actions in a new project. In production, it's good practice to set this to false to prevent access to any logic you might have inadvertently exposed.

Allow public access to the mapped controller/action. This will allow any request to get through, no matter what.

module.exports = {
  UserController: {

    // login should always be accessible
    login: true

  }
}

false

NO access to the mapped controller/action. No requests get through. Period.

module.exports = {
  MathController: {

    // This fancy algorithm we're working on isn't done yet
    // so we set it to false to disable it
    someFancyAlgorithm: false

  }
}

Custom policies

You can apply one or more policies to a given controller or action.  Any file in your /policies folder (e.g. authenticated.js) is referable in your ACL (config/policies.js) by its filename minus the extension, (e.g.  'authenticated').

module.exports = {
  FileController: {
    upload: ['isAuthenticated', 'canWrite', 'hasEnoughSpace']
  }
}

Multiple Policies

To apply two or more policies to a given action, (order matters!) you can specify an array, each referring to a specific policy.

UserController: {
    lock: ['isLoggedIn', 'isAdmin']
}

In each of the policies, the next policy in the chain will only be run if next(), the third argument, is called. When and if the last policy calls next(), the requested controller action is run.