Environment-Based Rules

[00:00:00]
>> Kyle Cook: Now the next thing that I want to be able to talk about are the advanced features built into attribute access control that we can start implementing, and there's quite a few of them. So, we have some new requirements that we want to implement inside of our application, and these new requirements are going to be first, field-level permissions. This is something that is a nightmare to implement in almost every permission system if you've ever had to do it before.

[00:00:20]
With our attribute-based access control, it's going to be slightly less of a nightmare. It's still not fun, but it'll be much easier than it was before. And essentially all we're doing with our field-level permissions, we're keeping it very simple, is that viewers are not able to see the created at and updated at metadata for documents. So we're just hiding that information from viewers specifically.

[00:00:41]
This is just so we can have a really simple way to see how this works without having to write a bunch of different field level permission controls. So this is field level read permissions. We also want to change field level write permissions, which I find to be the more common way that you use this type of field limiting is when you want to restrict certain people from changing certain fields. For example, the is locked field on a document, we don't want anyone to change that.

[00:01:04]
We only want to allow admins to lock down documents or not. Also, the status property can only be changed by admins or editors, because authors don't have the ability to publish their own data, we only allow editors and admins to approve that data to go from draft to the published status. So that means that we want to make sure we restrict what fields people can write, and this is where it can kind of get hairy and difficult with our permission system, but we'll try to make it as easy as possible with attribute-based access control.

[00:01:30]
Finally, we want to add some environment-based rules. So these environment-based rules are specifically going to be very simple. For us, we're imagining this company really values your work-life balance, so it's going to restrict editors and authors from making changes on the weekends. So anything is going to be completely restricted for on the weekends, so they can't create or update any documents if it's a weekend.

[00:01:51]
So this is kind of going into that stuff that's not directly related to a user or a resource, but it's kind of external to the environment they're working within. Finally, the last thing we're going to implement is going to be automatic database filtering. One of the big things that you've kind of seen me talk about a bunch is the fact that inside of our code, if we just go ahead to one of these services, you know that we have this database code that duplicates all of our permission logics.

[00:02:14]
We have the same permission logic in SQL as we do inside of our actual permission code. We want to unify those into one system, and that's what this automatic database filtering is going to be. This is where one of the more complicated sets of TypeScript is going to go in our project, unfortunately, but it's going to be really useful for making sure we have one single source of truth. So let's start with the easiest, implementing environment-based rules.

[00:02:37]
This is dead simple based on how we set up our system. All we need to do is determine what the environment is. In our case, it's based on the current day, so we can get that JavaScript very easily, and then we can essentially allow or deny permissions based on what day it is. So, I might as well copy that code for getting the day of the week. Here we go. And we'll go into where we create our permission code, so that's this attributes-based access control.

[00:03:02]
And essentially right here before I do any of my code, I want to just get whether or not it is the weekend because we know authors and editors are restricted specifically on the weekend. So I'm going to take that is weekend code. I'm going to pass that in to my editor and to my author permissions because we want to restrict them only on the weekend, and then we can update these particular code pieces.

[00:03:23]
So is weekend is going to be a boolean. And we know that if it is the weekend, we want to restrict them, so if it's not the weekend, we can allow them to do this code. So we can say, if it is not the weekend. Then we can allow them to do all the code inside of here. There we go. So essentially, whenever it's not the weekend, we allow them to do whatever updates they could do before. Now to be able to test this, today it's currently Tuesday, so if I actually just change my code up here from a 0 to a 2, that represents Tuesday.

[00:03:57]
And I were to log in as an editor. Right here, we should see that I no longer have the ability to edit anything. You can see the edit button has completely disappeared. That's because we are restricting Tuesdays from being editable days. Now in our case, we want to restrict Saturday, Sunday, so we'll use 0 and 6, and if I save that and I go back to my code, you'll see that as soon as I refresh my page, the edit button is, oh, of course the edit button didn't appear on that one because that one is locked.

[00:04:20]
You can see the edit button is here. Now let me change this back to a 2. And we will go back and you can see the edit button has disappeared, so it's very easy for me to change these permissions and automatically have them reflect everywhere, and again, in our case, this is only a weekend thing, so we're just going to be checking for Sunday and Saturday. Now, unfortunately, none of the rest of the things we're going to be implementing are quite as simple as this one, that was only a few lines.

[00:04:42]
Actually, speaking of, I didn't even finish implementing the author section, so let's go ahead and do that. We have the editor down, let's do the author as well. There we go. And what we can do down here, anything that is create or update related, if it is not the weekend, they cannot do that, or if it is not the weekend then they can do that. So we'll just make sure to wrap those just like that. There we go, and again we're restricting just create and update to be done on weekdays only.