Simple authorisation addon for Ember.
v0.4.0 and v0.3.0 introduced backwards incompatible changes.
- v0.4.0 - stopped singularizing ability names to work with pods
- v0.3.0 - removed
if-canhelper, uses sub-expression instead
See UPGRADING for more details.
You want to conditionally allow creating a new blog post:
We define an ability for the Post resource in /app/abilities/post.js:
import { Ability } from 'ember-can';
export default Ability.extend({
canWrite: function() {
return this.get('user.isAdmin');
}.property('user.isAdmin')
});We can also re-use the same ability to check if a user has access to a route:
import Ember from 'ember';
import { CanMixin } from 'ember-can';
export default Ember.Route.extend(CanMixin, {
beforeModel: function() {
if (!this.can('write post')) {
this.transitionTo('index');
}
}
});Install this addon via npm:
npm install --save-dev ember-can
The minimum supported Ember version is 1.10.x due to the use of sub-expressions.
For v1.9.x support, use v0.2.1:
npm install --save-dev [email protected]
An ability class protects an individual model / resource which is available in the ability as model.
The ability checks themselves are simply standard Ember objects with computed properties:
import { Ability } from 'ember-can';
export default Ability.extend({
// only admins can write a post
canWrite: function() {
return this.get('user.isAdmin');
}.property('user.isAdmin'),
// only the person who wrote a post can edit it
canEdit: function() {
return this.get('user.id') === this.get('model.author');
}.property('user.id', 'model.author')
});The can helper is meant to be used with {{if}} and {{unless}} to protect a block.
The first parameter is a string which is used to find the ability class call the appropriate property (see "Looking up abilities" below).
The second parameter is an optional model object which will be given to the ability to check permissions.
As activities are standard Ember objects and computed properties if anything changes then the view will automatically update accordingly.
As it's a sub-expression, you can use it anywhere a helper can be used. For example to give a div a class based on an ability you can use an inline if:
If you need more than a single resource in an ability, you can pass them additional attributes.
You can do this in the helpers, for example this will set the model to project as usual,
but also member as a bound property.
Similarly in routes you can pass additional attributes after or instead of the resource:
this.can('edit post', post, { author: bob });
this.can('write post', { project: project });These will set author and project on the ability respectively so you can use them in the checks.
In the example above we said {{#if-can "write post"}}, how do we find the ability class & know which property to use for that?
First we chop off the last word as the resource type which is looked up via the container.
The ability file can either be looked up in the top level /app/abilities directory, or via pod structure.
Then for the ability name we remove some basic stopwords (of, for in) at the end, prepend with "can" and camelCase it all.
For example:
| String | property | resource | pod |
|---|---|---|---|
| write post | canWrite |
/abilities/post.js |
app/pods/post/ability.js |
| manage members in projects | canManageMembers |
/abilities/projects.js |
app/pods/projects/ability.js |
| view profile for user | canViewProfile |
/abilities/user.js |
app/pods/user/ability.js |
Current stopwords which are ignored are:
- for
- from
- in
- of
- to
How does the ability know who's logged in? This depends on how you implement it in your app!
If you're using ember-simple-auth, you'll probably want to inject the simple-auth-session:main session
into the ability classes.
To do this, edit your app's /config/environment.js like so:
ENV['ember-can'] = {
inject: {
session: 'simple-auth-session:main'
}
};The ability classes will now have access to session which can then be used to check if the user is logged in etc...
In a controller or component, you may want to expose abilities as computed properties so that you can bind to them in your templates.
To do that there's a helper to lookup the ability for a resource, which you can then alias properties:
import { computed } from 'ember-can';
import Ember from 'ember';
export default Ember.Controller.extend({
post: null, // set by the router
// looks up the "post" ability and sets the model as the controller's "post" property
ability: computed.ability('post'),
// alias properties to the ability for easier access
canEditPost: Ember.computed.alias('ability', 'canEdit')
});computed.ability assumes that the property for the resource is the same as the ability resource.
If that's not the case, include it as the second parameter.
For example, in an ObjectController we probably want to use the content:
import { computed } from 'ember-can';
import Ember from 'ember';
export default Ember.ObjectController.extend({
// looks up the "post" ability and sets the model as the controller's "content" property
ability: computed.ability('post', 'content')
});git clonethis repositorynpm installbower install
ember server- Visit your app at http://localhost:4200.
ember testember test --server
ember build
For more information on using ember-cli, visit http://www.ember-cli.com/.