devise模式与规则引擎和node.js来处理权限
我有要求使用规则引擎在系统中实现angular色权限(这可能是一个矫枉过正?)但是权限是一种复杂和复杂的本身。 我很困惑如何授予访问权限或不使用规则引擎。
我也怀疑我应该用什么样的devise来实现它的可扩展性和可维护性。 所以在devise中的任何帮助或向我解释如何使用规则引擎将是伟大的。
使用nools ,mongoDB,node.js作为后端。
我在创build一个封装Nools的规则引擎实例(可能是一个反模式的内部平台可能?)在我的node.js应用程序的引导,并让它作为一个全局variables。
就像是:
'use strict'; var nools = require('nools'); var flows = require('./rule-engine.flows'); // A flow is a container of rules, so each flow could be a category of rules // In the same flow could have some more specific subcategories would be actionGroups? // I'm creating a ruleEngine instance that would contain nools but I'm not sure // if that would be a good practice, I have that to maybe encapsulate boilerplate code // or some straight forward operations in the future.. don't sure of this. var ruleEngine = function(){ this.nools = nools; }; ruleEngine.prototype.getFlowSession = function(flow){ if(this.nools.hasFlow(flow)){ return this.nools.getFlow(flow).getSession(); }else{ var fl = this.nools.flow(flow, flows[flow]); return fl.getSession(); } }; ruleEngine.prototype.createRule = function(flow, rule){ if(this.nools.hasFlow(flow)){ // implementation to add rules to a flow } }; ruleEngine.prototype.editRule = function(flow, rule, update){}; ruleEngine.prototype.retractRule = function(flow, rule){}; //could be global object, or cache object but certainly should be a single object. if(!GLOBAL.ruleEngine){ var ruleEngineInstance = new ruleEngine(); GLOBAL.ruleEngine = ruleEngineInstance; } //module.exports = GLOBAL.ruleEngine; 治-engine.flow:
'use strict'; var flowName = function(flow){ // query the rules to database or to cache.. then add the rules to the flow. // query bla bla function(results){ for(Var i=0; i<results.length; i++) flow.rule(results[i].name, results[i].constraints, results[i].action); // alternately, I could just from the bootstrap create a flow, // and create a function to add, modify or retract rules of a specific flow. // What would be the better design approach ? or combine two approach ? // bring from database the first time, and later use ruleModify, // ruleCreate or rule retract functions. }; module.exports = { flowName: flowName, // each would be a flow that would be a category of rules for the system flowName2: flowName2 };
如何使用它来实现权限,是通过事件传达规则引擎和外部应用/代码的唯一方式?
这些是我创build的一些规则(同时是用来创build模拟caching规则或MongoDB规则的flowName的规则)。
var results = [ { name: 'userAllow', constraints: [Object, 'obj', 'obj.systemRole === \'user\''], action: function(facts, session, next){ session.emit('event:userAllow', {data: 'user is allow'}); next(); } }, { name: 'userNotAllow', constraints: [Object, 'obj', 'obj.systemRole !== \'user\''], action: function(facts, session, next){ session.emit('event:userNotAllow', {data: 'user is not allow'}); next(); } }, { name: 'adminAllow', constraints: [Object, 'obj', 'obj.systemRole === \'admin\''], action: function(facts, session, next){ session.emit('event:adminAllow', {data: 'admin is allow!'}); next(); } }, { name: 'adminNotAllow', constraints: [Object, 'obj', 'obj.systemRole !== \'admin\''], action: function(facts, session, next){ session.emit('event:adminNotAllow', {data: 'admin not allow'}); next(); } } ];
所以有了这几条规则,我只想授予访问权限,当user.systemRole是pipe理员的例子..我应该使用以下方式的事件?
系统中的X方法:
//validate delete with ruleEngine... supposed only admin would be able to delete var self = this; var session = ruleEngine.getFlowSession('flowName'); session.assert({systemRole: User.role}); //User.role = 'user' || 'admin' session.on('event:adminAllow', function(d){ console.log('do the job because the user is admin'); // Delete implementation. }); session.on('event:adminNotAllow', function(d){ console.log('User not allow because is not admin'); }); session.on('fire',function(name){ console.log(name); }); session.match().then(function(){ session.dispose(); });
到目前为止,我有这个实现的一些问题..事件可以触发不止一次,我不能让它在删除操作或创build操作或类似的事情发生两次。
所以,除了我需要修复的错误(不知道如何) 编辑:
我评论了我的规则的最后一个(),然后事件被激发一次。 我还有其他疑问:
- 有好的做法破或反模式?
- 这是可扩展性和易于维护?
- 是规则引擎的正常工作方式?
- 这个实现的优缺点?
- 有没有更好的办法?
在此先感谢您的帮助。
你是否承诺使用nools? 如果不是,使用node_acl创build一个访问控制系统有一个更简单的(恕我直言)选项。
门禁系统基于三件事,angular色; 资源和权限。 您可以定义特定的angular色和资源,然后简单地为每个资源设置每个angular色的权限。 例如,您可以具有“pipe理员”angular色,并在资源“系统configuration”上设置权限“可以修改”。 然后,您只需根据需要将用户分配到angular色。
我很高兴提供一些示例代码,如果你喜欢,但你可以看看我写的关于为nodejs创build访问控制系统的教程 。