Many times, you might want to expose/restrict certain operations on a resource publicly, i.e. grant/deny access irrespective of whether the user is logged in or not.
Space Cloud allows you to do this in a very easy manner by using the allow and deny rules.
The allow rule is used to disable access control entirely for a particular operation on a resource. The request is allowed to be made even if the JWT token is absent in the request. This rule is used only when you want to expose a resource publicly.
Example: Allow anonymous users to view articles of your blog by providing the following rule for the read operation of the articles table:
{
"rule": "allow"
}
You shouldn’t use
allowfor mutations likeupdateordelete. Otherwise, any anonymous user might update or delete your entire table.
The deny rule is used to restrict access to a particular operation on a resource. The request is denied irrespective of whether the JWT token is present in the request or not.
Example: Restrict anyone from deleting the purchase history by providing the following rule for the delete operation of the purchases table:
{
"rule": "deny"
}
Have a technical question?
Improve the docs!
