Page MenuHomeSealhub

policy-types.remarkup
No OneTemporary

policy-types.remarkup

Policy types

Policies are another central concept in Sealious. They help make sure that users
see only what they are intented to be allowed to see.

Policy is a piece of logic that runs _before_ every ORM action.

The way Policies are implemented in Sealious is quite unique. Lets say that you
have a collection with thousands and thousands of items, but the result of a
given policy is that each user can see only a small portion of the whole.

In such scenario, if the user requests a page of 10 items, the backend is tasked
with finding 10 items that can the given user has access to. A common,
non-sealious way to do that would be to query the database for, say, 100 items,
the check if each one can be seen by the given user, throw away the ones that do
not match the policy, and repeat the process again and again untill 10
policy-approved items are found. This in inefficient!

In Sealious, Policies are implemented as database queries (or, to be more
precies, as Mongo Aggregation Pipeline Stages). If a collection
has a certain Policy attached for list action, then that policy creates an arbitrary number of
aggregation pipeline stages. Those stages are then pushed before other stages (filtering, sorting, etc).
Thanks to that, most complex queries - including multiple policies, filters, sorting and
pagination - are done with just one dataase query.

List of built-in policy types

Policy nameIs Higher OrderDescriptionUsage
AndCombines multiple policies. Accepts only contexts that pass all of those policies.see docs
IfUses one of the two specified policies, depending on a named_filter match resultsee docs
LoggedInAccepts only users who are logged innew Policies.LoggedIn()
NooneAccepts noone. The polar oposite of Publicnew Policies.Noone()
NotReverses the given policy. Not(Public) is like Noonenew Policies.Not(SomeOtherPolicy)
OrCombines multiple policies. Accepts only contexts that pass one or more of those policies.new Policies.Or([Policy1, Policy2, ...])
OwnerAllows the given action only for users who created the given itemsnew Policies.Owner()
PublicAlways allowsnew Policies.Public()
RolesAllows only users with any of the provided rolesnew Policies.Roles(["admin"])
SameAsForResourceInFieldkind ofLooks at a single-reference-type field of the given item and applies policy logic from the item referenced by that field's valuesee docs
SuperOnly SuperContext is allowednew Policies.Super()
ThemselvesMakes sense only within the context of the users collection. Allows the action only to the user themselves (e.g. to see/edit their own data)new Policies.Themselves()
UsersWhoCankind ofApplies a policy from other collectionnew Policies.UsersWhoCan(["create", "tasks"])
UserReferencedInFieldAllows the action only if the context is on behalf of the user referenced in a specified single-reference fieldnew Policies.UserReferencedInField("owner")

File Metadata

Mime Type
text/plain
Expires
Tue, Dec 24, 02:09 (22 h, 12 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
552470
Default Alt Text
policy-types.remarkup (6 KB)

Event Timeline