科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - NestJS strategy for excluding fields for different user roles? - Stack Overflow

    javascript - NestJS strategy for excluding fields for different user roles? - Stack Overflow

    programmeradmin1浏览0评论

    Let's say I have a base entity, ShopsEntity, that has a bunch of fields along with a secret property:

    @ObjectType()
class ShopsEntity {

   @Field()
   name: string;

   @Field()
   rating: string;

   @Field()
   secret: string;
}

    I don't want the secret property to be serialised unless a user has a certain role defined through Nest Access Control (That module only allows for RoleGuards to be placed on the resolvers themselves, meaning I would need different routes per role).

    So, following a request to the same endpoint with differing levels of authentication, an Admin would get:

    {
  "name": "name",
  "rating": "rating",
  "secret": "secret"
}

    and a regular querying user would get:

    {
  "name": "name",
  "rating": "rating"
}

    Is there a declarative way in which I can do property-level security here, or is the best solution having separate DTO's for each level of security?

    Let's say I have a base entity, ShopsEntity, that has a bunch of fields along with a secret property:

    @ObjectType()
class ShopsEntity {

   @Field()
   name: string;

   @Field()
   rating: string;

   @Field()
   secret: string;
}

    I don't want the secret property to be serialised unless a user has a certain role defined through Nest Access Control (That module only allows for RoleGuards to be placed on the resolvers themselves, meaning I would need different routes per role).

    So, following a request to the same endpoint with differing levels of authentication, an Admin would get:

    {
  "name": "name",
  "rating": "rating",
  "secret": "secret"
}

    and a regular querying user would get:

    {
  "name": "name",
  "rating": "rating"
}

    Is there a declarative way in which I can do property-level security here, or is the best solution having separate DTO's for each level of security?

    • javascript
    • node.js
    • typescript
    • nestjs
    • class-transformer
    Share Improve this question edited Nov 12, 2019 at 9:13 Kim Kern 60.7k20 gold badges218 silver badges214 bronze badges asked Nov 11, 2019 at 10:01 stewartmcgownstewartmcgown 5264 silver badges16 bronze badges 2
    • 1 I use the groups feature of class-transformer, which I use for the serialization (or resp. class-validator for validation). I'm not sure if it interoperates with your access controll library. Have a look at github./typestack/… and stackoverflow./a/54057206/4694994 – Kim Kern Commented Nov 11, 2019 at 16:46
    • 1 yep, looks like groups is the way to go! Integrates very nicely with access-control as I can reimport the roles used there. – stewartmcgown Commented Nov 11, 2019 at 22:56
    Add a ment  | 

    1 Answer 1

    Reset to default 6

    With class-transformer, you can use the groups property to expose properties only for certain groups/roles:

    import {Exclude, Expose} from "class-transformer";

@Exclude()
export class User {

    @Expose({ groups: ["admin"] })
    secret: string;
}

    On how to use the ClassSerializerInterceptor with groups, see the following answer.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论