Most of the times, we want to grant our users access to a particular resource conditionally, i.e. only if the user/request matches certain criteria or conditions.
There are three primary security rules in Space Cloud for granting access conditionally:
match rule.match and query.You can easily model complex authorization tasks in Space Cloud by combining multiple security rules together using
and/orrules.
For example, a user with the role author should be allowed to delete an article only if he is the author of that article. (i.e. the article’s author_id field is equal to the id claim of the user) However, an admin should be able to delete any article. This can be modelled as - an article should be allowed to delete only if the user has role admin, or if the user has role user and the article id is equal to user id.
Here’s a security rule expressing the authorization logic for the above example:
{
"rule": "or",
"clauses": [
{
"rule": "match",
"type": "string",
"eval": "==",
"f1": "args.auth.role", // assuming token contains a claim named role
"f2": "admin"
},
{
"rule": "or",
"clauses": [
{
"rule": "match",
"type": "string",
"eval": "==",
"f1": "args.auth.role",
"f2": "user"
},
{
"rule": "match",
"type": "string",
"eval": "==",
"f1": "args.find.author_id", // args.find is the variable containing the where clause
"f2": "args.auth.id" // assuming token contains a claim names id equal to id of the user
}
]
}
]
}
Check out the in-depth documentation for the match, query and webhook rules in the upcoming pages.
Have a technical question?
Improve the docs!
