Reputation: 17072
Sails: How to only authorize creation of a blueprint model
In my sails application, I have created the Data model and controller (blueprint model).
I have set up the following policies to only authorize the creation of new data.
module.exports.policies = {
// Prevent all actions
'*': false,
// Data controller's policies
DataController:{
'*': false,
'create': true
}
};
This does not work and prevent all the actions. Does not 'create' rules have priority over the rules above it ?
UPDATE
My mistake, DataController should be replaced by data (thanks to the #sailsjs IRC).
I have updated the policies order but this is not working either:
module.exports.policies = {
// Data controller's policies
data:{
'create': true,
'find': false,
'findAll': false,
'update': false,
'destroy': false
}
};
With this code, even the 'create' action is forbidden when this is the only one I need open to anyone.
Upvotes: 1
Views: 2150
Answers (1)
Reputation: 596
I assume you are using the built in blueprints that Sails.js provides
You will find that the following policies will allow you to access the '/data/create' route
data: {
'find': true,
'create': true,
'update': true,
'destroy': false,
'findAll': false
}
I am unsure why your policies have to be configured like this in order for you to access the 'create' route, but I suppose it has something to do with the way blueprints are implemented behind the scenes
A possible work around to your problem is to create your own routes that override the default blueprints provided by Sails. For example, mapping '/data/create' to a createData method within the Data controller and then specifying the policies that apply to this method.
My understanding is that these CRUD routes are only intended for use during development, you will find that this is also stated within the config/controllers.js file
// These CRUD shortcuts exist for your convenience during development,
// but you'll want to disable them in production.
// '/:controller/find/:id?'
// '/:controller/create'
// '/:controller/update/:id'
// '/:controller/destroy/:id'
As blueprints are not intended to be used in production, writing policies that target these default CRUD shortcuts serves no purpose. So, another option would be to disable blueprints altogether in config/controllers.js and instead apply policies to your own custom routes and methods.
Upvotes: 3
Related Questions
- Sails Model.create
- Disabling create feature when create request is made using GET in Sails.js
- How can I filter Sails.js blueprint queries using a policy?
- Why can anyone PUT/POST/GET to any user without authentication in sails.js blueprint rest api?
- Criteria permission with sails-permissions
- How to secure blueprint access in Sails.js
- Is it possible to disable blueprint in sails
- Sails.js - protect blueprint associations using policies
- Sailsjs policies
- Sails.js authentication for model actions