Earlier, we analyzed the concept of Rules , based on Selectors, based on Trees.
In the deep system, all interaction with the system occurs through operations on links. This is the axoim of deep. To control permissions, we apply rules as permissions controller to the CRUD api (programmatic interface for insert/update/delete/select operations on connections).
We have created basic actions as action symbols for rules: AllowSelect, AllowInsert, AllowUpdate, AllowDelete, AllowLogin, AllowPackagerInstall, AllowPackagerPublish
These links are declared in the initial @deep-foundation/core package.
Deep Permissions pre-created Actions
Like any rule, you can manually check the permission to perform certain actions using can (📜 Rules).
const meId; // number
const friendId; // number
const passwordsId; // number
// For example, we want to allow my friendId to select all what contains meId tree.
// But not all subtree under link passwordsId
const { data: [{ id: ruleId }] } = await deep.insert({
type_id: await deep.id('@deep-foundation/core', 'Rule'),
out: { data: [
{
type_id: await deep.id('@deep-foundation/core', 'RuleSubject'),
to: { data: {
type_id: await deep.id('@deep-foundation/core', 'Selector'),
out: { data: [
{
type_id: await deep.id('@deep-foundation/core', 'SelectorInclude'),
to_id: friendId,
out: { data: {
type_id: await deep.id('@deep-foundation/core', 'SelectorTree'),
to_id: await deep.id('@deep-foundation/core', 'containTree'),
} },
},
] },
} }
},
{
type_id: await deep.id('@deep-foundation/core', 'RuleObject'),
to: { data: {
type_id: await deep.id('@deep-foundation/core', 'Selector'),
out: { data: [
{
type_id: await deep.id('@deep-foundation/core', 'SelectorInclude'),
to_id: meId,
out: { data: {
type_id: await deep.id('@deep-foundation/core', 'SelectorTree'),
to_id: await deep.id('@deep-foundation/core', 'containTree'),
} },
},
{
type_id: await deep.id('@deep-foundation/core', 'SelectorExclude'),
to_id: passwordsId,
out: { data: {
type_id: await deep.id('@deep-foundation/core', 'SelectorTree'),
to_id: await deep.id('@deep-foundation/core', 'containTree'),
} },
},
] },
} }
},
{
type_id: await deep.id('@deep-foundation/core', 'RuleAction'),
to: { data: {
type_id: await deep.id('@deep-foundation/core', 'Selector'),
out: { data: [
{
type_id: await deep.id('@deep-foundation/core', 'SelectorInclude'),
to_id: await deep.id('@deep-foundation/core', 'AllowSelect'),
out: { data: {
type_id: await deep.id('@deep-foundation/core', 'SelectorTree'),
to_id: await deep.id('@deep-foundation/core', 'containTree'),
} },
},
] },
} }
},
] },
});
Example of a permission rule:
This is simple permission, without bool_exp. AllowSelect supports only this.
Any access can be easily checked with:
await deep.can(meId, friendId, await deep.id('@deep-foundation/core', 'AllowLogin')); // true
await deep.can(passwordsId, friendId, await deep.id('@deep-foundation/core', 'AllowLogin')); // false
Permissions support bool_exp SelectorFilter .
This can be used in any rule RuleObject RuleSubject RuleAction.
SelectorFilterdoes not work inAllowSelectchecks inHasura PostgreSQL Deep engine, but can be used in any other actions, for example inAllowInsertAllowDeleteAllowUpdatenative deep actions, or in any custom actions.
const meId; // number
const friendId; // number
const passwordsId; // number
// For example, we want to allow my friendId to select all what contains meId tree.
// But not all subtree under link passwordsId
const { data: [{ id: ruleId }] } = await deep.insert({
type_id: await deep.id('@deep-foundation/core', 'Rule'),
out: { data: [
// ...subject
{
type_id: await deep.id('@deep-foundation/core', 'RuleObject'),
to: { data: {
type_id: await deep.id('@deep-foundation/core', 'Selector'),
out: { data: [
// ...Includes/Excludes
{
type_id: await deep.id('@deep-foundation/core', 'SelectorFilter'),
to: { data: {
type_id: await deep.id('@deep-foundation/core', 'BoolExp'),
object: { data: { value: {
from: { in: { type_id: 5 } } // <<<<<<<<
} } }
} },
},
] },
} }
},
// ...action
] },
});
<aside>
‼️ The question is what ideally would you like to see a system of rights for Trees (mp table)? _item_id and _path_item_id both or smarter, tree depending or some thing else...?
</aside>