What I learnt about Access Control
After taking Wesbos’ Advanced React course, I got a better idea on how to configure the user Access Control ! Here is what I learnt with examples based on the KeystoneJS server.
Authentication VS Authorisation
Authentication — checks if the user is signed in.
Authorisation — checks if user has the permission to perform certain actions.
What does the structure look like ?
The Key Piece! => Session!
In the main KeystoneJS configuration, the Session passes the user details such as id , email, along with the request.
In KeystoneJS schema definition, all permission/ rule functions for configuring CRUD access receive session as an input. Using the session, the permission/ rule functions can have the user info and decide whether to let user do this action!
Like in a RPG game…
I find it easier to relate the 4 things used to set up access control to a game.
The Role is like a helmet or protective gear. It can have special capabilities (permissions) attached, like [x] can unlock the red door.
The User (players) can wear different protective gears. Multiple people in the team may wear the same iron helmet and have the same permission to [x] can unlock the red door.
Sometimes, the Chosen One or The One, does not need any special gear to have the permission! That is dictated by the Rules.
Putting everything together
- Role is another Schema type especially used for assigning a set of permissions to users
- In KeystoneJS, for Roles, we can create an admin UI with a checkbox list of permissions which we can enable for different Roles.
- In Session, we can expose the permissions that a user has so that graphQL queries can receive the permission info of this user. See line 84
- The Rules, are made of permissions and the session data so that we can add more flexibility in access controls. Not only can we allow specific users to have the access, we can also give more granularity in what they can access! For instance, in this example, the
canReadProductsrule returns a Keystone query — for users without specific permissions granted, if they are the owner, they can see all products. Otherwise, they can only see available products
return {
OR: [{ user: { id: session.itemId } }, { status: 'AVAILABLE' }],
};More Info
- KeystoneJS Access Control docs
- Wesbos Advanced React Course + Repo