Guard
This article is outdated and it will be updated after identity and guard are implemented.
Guards are role based access control. Instead of defining roles, we describe it in places we need it. This is more flexible, readable and descriptive.
Permissions include:
canMutate
whether this person can create, update or deletecanRead
whether this person can read
Model guard
A model guard protects API on the model level.
@canRead($identity($is($self)))
@canMutate(
$when(.update, $identity($is($self)))
.when(.delete, $identity($is($self)))
)
@identity
model Rider {
@id @autoIncrement @readonly
id: Int
@unique @identity
email: String
@writeonly @identityChecker($bcryptVerify($self.get(.password)))
@onSet($hasLength(8...16).isSecurePassword.bcryptSalt)
password: String
@relation(fields: .id, references: .riderId)
orders: Order[]
}
@canRead($identity($is($self, .rider)))
@canMutate(
$when(.update, $identity($is($self, .rider)))
.when(.delete, $identity($is($self, .rider)))
.when(.create, $identity($isA(Rider)))
)
model Order {
@id @autoIncrement @readonly
id: Int
@foreignKey
riderId: Int
@relation(fields: .riderId, references: .id)
rider: Rider
}
In this example, only rider can delete or update him/herself. Only order owner can update or delete his/her orders.
Field guard
A field guard protects API on the field level.
A field has permissions, too. Field value is removed from the output if a user
has model read permission but doesn't have field read permission. delete
action is not triggered on fields.
model Order {
@id @autoIncrement @readonly
id: Int
@canMutate($identity($is($self, .rider)))
amount: Int
@foreignKey
riderId: Int
@relation(fields: .riderId, references: .id)
rider: Rider
}
In this example, only order's owner can change the amount.