Within the topic of security and data privacy and specifically within security, we have:
- Authentication: verification of a user's identity
- Authorization: checking what level of access a given user has
In other words, "who" a user is (authentication), and "how" that user can interact with the resources (authorization).
For authorization, CAP offers role-based access control facilities that revolve around a couple of annotations @requires and @restrict.
The @restrict annotation allows for complex definitions of privilege declarations each of which can combine the granting of access to roles according to specific conditions, in this pattern:
{
grant:<events>,
to:<roles>,
where:<condition>
}
The @requires annotation is actually just a convenience shortcut to something that we might commonly express with a @restrict annotation; for example:
@requires: 'Viewer'
is the equivalent of
@restrict: [ { grant:'*', to:'Viewer' } ]
There's another security related annotation which is in common use, which is actually just another convenience shortcut for:
@restrict: [ { grant:'READ' } ]
What is the name of that annotation?
This is a question from the June Developer Challenge on CAP Knowledge. And don't forget: always submit your answer as a hash, on its own - read the Taking part section of the intro post for more info. At the end of today, this question will be updated with links to further reading on this topic.
Further info:
- The Authorization topic in Capire is a great resource for CAP-level authorization affordances.
- CAP's local-first development facilities include the ability to mock authentication, which allows us to embrace auth from the outset rather than avoid it and incur technical and design debt. Read more in the blog post Local-first dev with CAP Node.js - mocking auth.
Bluesky
