2022-07-21 16:27:31 +02:00
# Strapi Permissions
2022-07-21 10:39:53 +02:00
2022-07-21 16:27:31 +02:00
Highly customizable permission engine made for Strapi
2022-07-21 10:39:53 +02:00
2022-07-21 16:27:31 +02:00
## Get Started
2022-07-21 10:39:53 +02:00
2022-07-21 16:27:31 +02:00
```sh
yarn add @strapi/permissions
2022-07-21 10:39:53 +02:00
```
2022-07-21 16:27:31 +02:00
```javascript
const permissions = require('@strapi/permissions ');
const engine = permissions.engine.new({ providers });
const ability = await engine.generateAbility([
{ action: 'read' },
{ action: 'delete', subject: 'foo' },
{ action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
{
action: 'create',
subject: 'foo',
properties: { fields: ['foobar'] },
conditions: ['isAuthor'],
},
]);
ability.can('read'); // true
ability.can('publish'); // false
ability.can('update', 'foo'); // false
ability.can('update', 'bar'); // true
2022-07-21 10:39:53 +02:00
```
2022-07-28 11:37:03 +02:00
- You need to give both an action and a condition provider as parameters when instantiating a new permission engine instance. They must be contained in a `providers` object property.
2022-07-21 16:27:31 +02:00
- You can also pass an `abilityBuilderFactory` to customize what kind of ability the `generateAbility` method will return. By default it'll use a `@casl/ability` builder.
2022-07-28 17:51:03 +02:00
You can also register to some hooks for each engine instance.
See `lib/engine/hooks.js` -> `createEngineHooks` for available hooks.
2022-07-21 16:27:31 +02:00
```javascript
const permissions = require('@strapi/permissions ');
const engine = permissions.engine
.new({ providers })
.on('before-format::validate.permission', ({ permission }) => {
if (permission.action === 'read') {
return false;
}
});
const ability = await engine.generateAbility([
{ action: 'read' },
{ action: 'delete', subject: 'foo' },
{ action: 'update', subject: 'bar', properties: { fields: ['foobar'] } },
{
action: 'create',
subject: 'foo',
properties: { fields: ['foobar'] },
conditions: ['isAuthor'],
},
]);
2022-08-01 10:48:01 +02:00
ability.can('read'); // false since the validation hook prevents the engine from registering the permission
2022-07-21 16:27:31 +02:00
ability.can('publish'); // false
ability.can('update', 'foo'); // false
ability.can('update', 'bar'); // true
```
2022-07-28 17:51:03 +02:00
The `format.permission` hook can be used to modify the permission.
```javascript
const permissions = require('@strapi/permissions ');
const engine = permissions.engine
.new({ providers })
2022-08-03 10:48:31 +02:00
.on('before-format::validate.permission', ({ permission }) => {
2022-07-28 17:51:03 +02:00
if (permission.action === 'modify') {
return false;
}
})
2022-08-02 17:42:38 +02:00
.on('after-format::validate.permission', ({ permission }) => {
2022-07-29 09:27:18 +02:00
if (permission.action === 'update') {
2022-07-28 17:51:03 +02:00
return false;
}
})
.on('format.permission', ({ permission }) => {
2022-07-29 09:27:18 +02:00
if (permission.action === 'update') {
2022-07-28 17:51:03 +02:00
return {
...permission,
action: 'modify',
};
}
if (permission.action === 'delete') {
return {
...permission,
action: 'remove',
};
}
return permission;
});
2022-07-29 09:27:18 +02:00
const ability = await engine.generateAbility([{ action: 'update' }, { action: 'delete' }]);
2022-07-28 17:51:03 +02:00
2022-07-29 09:27:18 +02:00
ability.can('update'); // false
2022-07-28 17:51:03 +02:00
ability.can('modify'); // true, because create was changed to 'modify'
ability.can('delete'); // false, doesn't exist because it was changed by format.permission
2022-08-03 10:48:42 +02:00
ability.can('remove'); // true, before-format::validate.permission validates before format.permission changed it
2022-07-28 17:51:03 +02:00
```
