Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- (function () {
- module.exports = {
- /*
- Index keys in Thunderclap all start with an "!". Use a regular
- expression match to prevent direct index access by anyone other
- than a dbo. Internally a built-in dbo does index look-up and
- drops indexes the current user is not authorized to use from
- the look-up process. Changing this will create a data security
- inference leak.
- */
- [/\!.*/]: {
- read: ["dbo"],
- write: {
- dbo: true, // alternate form of role specification for example
- }
- },
- // Only a dbo can call `clear` on a database.
- clear: {
- execute: ["dbo"]
- },
- // Only a dbo can call `entries` to get matching entries in a database
- entries: {
- execute: ["dbo"]
- },
- // Only a dbo can call `keys` to get matching keys in a database
- keys: {
- execute: ["dbo"]
- },
- // Only dbo can call `values` to get matching values in a database
- values: {
- execute: ["dbo"]
- },
- // The key to control access to objects of class "User".
- "User@":
- /*
- Very restrictive. Don't return a user record for read or write
- unless requested by a dbo or data subject. Application implementers
- will probably want to modify this.
- */
- filter: async function({action,user,data,request}) {
- if(user.roles.dbo || user.userName===data.userName) {
- return data;
- }
- },
- // Control the properties within a User object
- properties: {
- read: {
- // Only dbos can read roles
- roles: ["dbo"],
- // Only dbo's can read password hashes
- hash: ["dbo"],
- // Only dbo's can read password salts
- salt: {
- dbo: true // example of alternate control form
- }
- },
- write: {
- password: {
- /*
- A propery named "password" can never be written.
- Added in case an application developer happens
- to create a property by this name. Thunderclap
- does not use.
- */
- },
- // only the dbo and data subject can write a hash and salt
- hash: ({action,user,object,key,request}) => {
- return user.roles.dbo || object.userName===user.userName;
- },
- salt: ({action,user,object,key,request}) => {
- return user.roles.dbo || object.userName===user.userName;
- },
- // can't change name of primary dbo
- userName: ({action,user,object,key,request}) => {
- return object.userName!=="dbo";
- }
- }
- }
- }
- }
- }).call(this);
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement