Policies are like any other system for authentication control. You can allow or deny access in fine granularity with policies.
Your app's ACL (access control list) is located in config/policies.js.
To apply a policy to a specific action in particular, you should specify it on the right-hand side of that action:
{
ProfileController: {
edit: 'isLoggedIn'
}
}
Note: Mapping a policy to a blueprint action works the same way. See Concepts > Policies for more info.
To set the default policy mapping for a controller, use the *
notation:
Note: Default policy mappings do not "cascade" or "trickle down." Specified mappings for the controller's actions will override the default mapping. In this example,
isLoggedIn
is overridingfalse
.
{
ProfileController: {
'*': false,
edit: 'isLoggedIn'
}
}
Note: Global policy mappings do not "cascade" or "trickle down" either. Specified mappings, whether they're default controller mappings or for specific actions, will ALWAYS override the global mapping. In this example,
isLoggedIn
is overridingfalse
.
{
// Anything you don't see here (the unmapped stuff) is publicly accessible
'*': true,
ProfileController: {
'*': false,
edit: 'isLoggedIn'
}
}
This is the default policy mapped to all controllers and actions in a new project. In production, it's good practice to set this to
false
to prevent access to any logic you might have inadvertently exposed.
Allow public access to the mapped controller/action. This will allow any request to get through, no matter what.
module.exports = {
UserController: {
// login should always be accessible
login: true
}
}
NO access to the mapped controller/action. No requests get through. Period.
module.exports = {
MathController: {
// This fancy algorithm we're working on isn't done yet
// so we set it to false to disable it
someFancyAlgorithm: false
}
}
You can apply one or more policies to a given controller or action. Any file in your /policies
folder (e.g. authenticated.js
) is referable in your ACL (config/policies.js
) by its filename minus the extension, (e.g. 'authenticated'
).
module.exports = {
FileController: {
upload: ['isAuthenticated', 'canWrite', 'hasEnoughSpace']
}
}
To apply two or more policies to a given action, (order matters!) you can specify an array, each referring to a specific policy.
UserController: {
lock: ['isLoggedIn', 'isAdmin']
}
In each of the policies, the next policy in the chain will only be run if next()
, the third argument, is called. When and if the last policy calls next()
, the requested controller action is run.