To add a collaborator to this project you will need to use the Relish gem to add the collaborator via a terminal command. Soon you'll be able to also add collaborators here!
More about adding a collaboratorAccess Control
The backend provides Public/Private/Role-based/ACL access control
- Background
-
- Given
- client accepts JSON
- Scenarios
-
- Bob can access his data only
- John can not list private objects from Bob
- John can not get a private object from Bob
- John can not insert and override a private object from Bob
- John can not modify and override a private object from Bob
- John can not mutate and override a private object from Bob
- John can not delete a private object from Bob
- John can not find private objects from Bob
- John can read objects from Bob only if he has read permission
- John can update objects from Bob only if he has read/write permission
- Even if he has read/write permision, John must not be able to modify permissions of objects from Bob
- Bob can access his data only
-
- Given
-
the system only knows those Buildings:
_id label level _owner 541816f042e7d8204d000001 Town Hall 3 [email protected] 541816f042e7d8204d000002 Army Camp 3 [email protected] 541816f042e7d8204d000003 Gold Mine 3 [email protected] - And
- client is authenticated as Bob
- When
- client requests GET /api/buildings
- Then
- response status should be 200
- And
-
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000001", "label" : "Town Hall", "level" : 3, "_owner" : "[email protected]" }, { "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]" } ]
- John can not list private objects from Bob
-
- Given
-
the system only knows those Buildings:
_id label level _owner 541816f042e7d8204d000001 Town Hall 3 [email protected] 541816f042e7d8204d000002 Army Camp 3 [email protected] 541816f042e7d8204d000003 Gold Mine 3 [email protected] - And
- client is authenticated as John
- When
- client requests GET /api/buildings
- Then
- response status should be 200
- And
-
response body should be JSON:
[ ]
- John can not get a private object from Bob
-
- Given
-
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001", "label": "Town Hall", "level": 3, "_owner": "[email protected]" }
- And
- client is authenticated as John
- When
- client requests GET /api/buildings/541816f042e7d8204d000001
- Then
- response status should be 422
- And
-
response body should be JSON:
{ "status": "Unprocessable Entity", "message": "Object with _id 541816f042e7d8204d000001 not found." }
- John can not insert and override a private object from Bob
-
- Given
-
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001", "label": "Town Hall", "level": 3, "_owner": "[email protected]" }
- And
- client is authenticated as John
- When
-
client requests POST /api/buildings with JSON:
{ "_id": "541816f042e7d8204d000001", "label": "John's Town Hall", "level": 999 }
- Then
- response status should be 422
- When
-
client requests POST /api/buildings with JSON:
{ "label": "John's Town Hall", "level": 999, "_owner": "[email protected]" }
- Then
- response status should be 422
- John can not modify and override a private object from Bob
-
- Given
-
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001", "label": "Town Hall", "level": 3, "_owner": "[email protected]" }
- And
- client is authenticated as John
- When
-
client requests PUT /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_id": "541816f042e7d8204d000001", "label": "John's Town Hall", "level": 999 }
- Then
- response status should be 422
- When
-
client requests PUT /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall", "level": 999, "_owner": "[email protected]" }
- Then
- response status should be 422
- When
-
client requests PUT /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall", "level": 999 }
- Then
- response status should be 422
- John can not mutate and override a private object from Bob
-
- Given
-
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001", "label": "Town Hall", "level": 3, "_owner": "[email protected]" }
- And
- client is authenticated as John
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_id": "541816f042e7d8204d000001", "label": "John's Town Hall", "level": 999 }
- Then
- response status should be 422
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall", "level": 999, "_owner": "[email protected]" }
- Then
- response status should be 422
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall", "level": 999 }
- Then
- response status should be 422
- John can not delete a private object from Bob
-
- Given
-
the system knows this Building JSON:
{ "_id": "541816f042e7d8204d000001", "label": "Town Hall", "level": 3, "_owner": "[email protected]" }
- And
- client is authenticated as John
- When
- client requests DELETE /api/buildings/541816f042e7d8204d000001
- Then
- response status should be 422
- John can not find private objects from Bob
-
- Given
-
the system only knows those Buildings:
_id label level _owner 541816f042e7d8204d000001 Town Hall 3 [email protected] 541816f042e7d8204d000002 Army Camp 3 [email protected] 541816f042e7d8204d000003 Gold Mine 3 [email protected] - And
- client is authenticated as John
- When
-
client requests POST /api/buildings/search with JSON:
{ }
- Then
- response status should be 200
- And
-
response body should be JSON:
[ ]
- When
-
client requests POST /api/buildings/search with JSON:
{ "level": 3 }
- Then
- response status should be 200
- And
-
response body should be JSON:
[ ]
- When
-
client requests POST /api/buildings/search with JSON:
{ "_id": "541816f042e7d8204d000001" }
- Then
- response status should be 422
- When
-
client requests POST /api/buildings/search with JSON:
{ "_owner": "[email protected]" }
- Then
- response status should be 422
- John can read objects from Bob only if he has read permission
-
- Given
-
the system only knows those Buildings:
_id label level _owner _tags 541816f042e7d8204d000001 Town Hall 3 [email protected] [ ] 541816f042e7d8204d000002 Army Camp 3 [email protected] [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ] 541816f042e7d8204d000003 Gold Mine 3 [email protected] [ { "_targets" : [ "foo", "[email protected]", "bar" ], "_permissions" : [ { "_read" : true } ] } ] - And
- client is authenticated as John
- When
- client requests GET /api/buildings
- Then
- response status should be 200
- And
-
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000002", "label" : "Army Camp", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ] }, { "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]" ], "_permissions" : [ { "_read" : true } ] } ] } ]
- When
- client requests GET /api/buildings/541816f042e7d8204d000003
- Then
- response status should be 200
- And
-
response body should be JSON:
{ "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]" ], "_permissions" : [ { "_read" : true } ] } ] }
- When
- client requests POST /api/buildings/search with JSON: { "level": 3 }
- Then
- response status should be 200
- And
-
response body should be JSON:
[ { "_id" : "541816f042e7d8204d000002", "label" : "Army Camp", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ] }, { "_id" : "541816f042e7d8204d000003", "label" : "Gold Mine", "level" : 3, "_owner" : "[email protected]", "_tags" : [ { "_targets" : [ "[email protected]" ], "_permissions" : [ { "_read" : true } ] } ] } ]
- John can update objects from Bob only if he has read/write permission
-
- Given
-
the system only knows those Buildings:
_id label level _owner _tags 541816f042e7d8204d000001 Town Hall 3 [email protected] [ { "_targets" : [ "foo", "[email protected]" ], "_permissions" : [ { "_read" : true}, {"_write": false} ] } ] 541816f042e7d8204d000002 Army Camp 3 [email protected] [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ { "_read" : true } ] } ] 541816f042e7d8204d000003 Gold Mine 3 [email protected] [ { "_targets" : [ "[email protected]", "bar" ], "_permissions" : [ { "_read" : true}, {"_write": true} ] } ] - And
- client is authenticated as John
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "label": "John's Town Hall", "level": 999 }
- Then
- response status should be 422
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000003 with JSON:
{ "label": "John's Town Hall", "level": 999 }
- Then
- response status should be 200
- And
-
response body should be JSON:
{ "status": "ok" }
- Even if he has read/write permision, John must not be able to modify permissions of objects from Bob
-
- Given
-
the system only knows those Buildings:
_id label level _owner _tags 541816f042e7d8204d000001 Town Hall 3 [email protected] [ { "_targets" : [ "foo", "[email protected]" ], "_permissions" : [ {"_read" : true}, {"_write": false} ] } ] 541816f042e7d8204d000002 Army Camp 3 [email protected] [ { "_targets" : [ "[email protected]", "someoneelse" ], "_permissions" : [ {"_read": true} ] } ] 541816f042e7d8204d000003 Gold Mine 3 [email protected] [ { "_targets" : [ "[email protected]", "bar" ], "_permissions" : [ {"_read" : true}, {"_write": true} ] } ] - And
- client is authenticated as John
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_owner": "[email protected]" }
- Then
- response status should be 422
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000001 with JSON:
{ "_tags": [{ "_targets": ["[email protected]"], "_permissions": [ {"_read": true}, {"_write": true} ] }] }
- Then
- response status should be 422
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000003 with JSON:
{ "_owner": "[email protected]" }
- Then
- response status should be 422
- When
-
client requests PATCH /api/buildings/541816f042e7d8204d000003 with JSON:
{ "_tags": [{ "_targets": ["[email protected]", "[email protected]"], "_permissions": [ {"_read": true}, {"_write": true} ] }] }
- Then
- response status should be 422
Last published over 7 years ago by Bruno Le Hyaric.