Locked video

Please purchase the course to watch this video.

Buy Now

Security

Authorization with policies

Summary

In this lesson, we implement authorization in our Sails.js application to restrict access to certain actions (e.g., creating, editing, or deleting articles) to only logged-in admin users.

Using Sails policies, we guard specific actions and redirect unauthorized users to the login page. This ensures that only authenticated users can perform sensitive operations, enhancing the security of our blog application.

Transcript

In the previous lesson, we set up basic authentication. Now, we’ll implement authorization to ensure only logged-in admin users can perform sensitive actions like creating, editing, or deleting articles.

Here’s how we’ll do it:

  1. Set Up Policies:

    • Policies in Sails are mechanisms to guard actions based on specific criteria.

    • Create a policy file in api/policies/isAdmin.js:

      module.exports = function (req, res, proceed) {  
  if (req.session.userId) {  
    return proceed(); // Allow access if user is logged in  
  }  
  return res.redirect('/login'); // Redirect to login if not logged in  
};

  2. Configure policies:

    • In config/policies.js, define which actions are restricted:

      module.exports.policies = {  
  'articles/*': 'isAdmin', // Guard all article actions by default  
  'articles/view-articles': true, // Allow public access to view all articles  
  'articles/view-article': true // Allow public access to view individual articles  
};

  3. Test the authorization flow:

    • Restart the Sails server and navigate to the blog.

    • Attempt to access restricted actions (e.g., creating or editing articles) without logging in.

    • Verify that unauthorized users are redirected to the login page.

  4. Log in as admin:

    • Log in with the admin credentials (admin@blog.com, password).

    • Confirm that logged-in users can now access restricted actions.

  5. Session management:

    • If the server restarts, the session ends, and users must log in again to access restricted actions.

Example workflow:

  • Unauthorized user:

    • Clicks "New Article" → Redirected to /login.

    • Attempts to edit or delete an article → Redirected to /login.

  • Authorized User (Admin):

    • Logs in with correct credentials.

    • Can create, edit, or delete articles without restrictions.

Key takeaways:

  • Policies enforce access control in Sails applications.

  • Redirect unauthorized users to the login page for restricted actions.

  • Combine authentication (login) and authorization (policies) to secure your application.

This setup ensures that only authenticated admin users can perform sensitive operations, making the blog more secure and functional.

Full Course

$
29.99

USD

plus local taxes
Buy Now