我想实现基于角色的访问控制,并希望控制应用程序的某些部分(或子部分)的显示.
我将从Node.js获取权限列表,这只是一个具有这种结构的对象:
- {
- users: 'read',models: 'write',...
- dictionaries: 'none',}
密钥是受保护的资源,
value是此资源的用户权限(以下之一:none,read,write).
我将它存储到redux状态.似乎很容易.
反应路由器路由onEnter / onChange挂钩或redux-auth-wrapper将检查none权限.这似乎也很容易.
但是,对任何组件视图应用读/写权限的最佳方法是什么(例如,如果用户具有{models:’read’}权限,则隐藏模型组件中的编辑按钮).
我找到了this solution并为我的任务改了一点:
- class Check extends React.Component {
- static propTypes = {
- resource: React.PropTypes.string.isrequired,permission: React.PropTypes.oneOf(['read','write']),userPermissions: React.PropTypes.object,};
- // Checks that user permission for resource is the same or greater than required
- allowed() {
- const permissions = ['read','write'];
- const { permission,userPermissions } = this.props;
- const userPermission = userPermissions[resource] || 'none';
- return permissions.indexOf(userPermission) >= permissions.indexOf(permission)
- }
- render() {
- if (this.allowed()) return { this.props.children };
- }
- }
- export default connect(userPermissionsSelector)(Check)
其中userPermissionsSelector将是这样的:(store)=> store.userPermisisons并返回用户权限对象.
然后使用Check包装protected元素:
- <Check resource="models" permission="write">
- <Button>Edit model</Button>
- </Check>
有人做过这样的事吗?有比这更“优雅”的解决方案吗?
谢谢!
附:当然,用户权限也将在服务器端进行检查.
我写的是HOC反应路由器风格.
基本上我有我的PermissionsProvider,我在其中初始化用户权限.我有另一个withPermissions HOC,它将我之前提供的权限注入到我的组件中.
因此,如果我需要检查该特定组件的权限,我可以轻松访问它们.
- // PermissionsProvider.js
- import React,{ Component } from "react";
- import PropTypes from "prop-types";
- import hoistStatics from "hoist-non-react-statics";
- class PermissionsProvider extends React.Component {
- static propTypes = {
- permissions: PropTypes.array.isrequired,};
- static contextTypes = {
- permissions: PropTypes.array,};
- static childContextTypes = {
- permissions: PropTypes.array.isrequired,};
- getChildContext() {
- // maybe you want to transform the permissions somehow
- // maybe run them through some helpers. situational stuff
- // otherwise just return the object with the props.permissions
- // const permissions = doSomething(this.props.permissions);
- // maybe add some validation methods
- return { permissions: this.props.permissions };
- }
- render() {
- return React.Children.only(this.props.children);
- }
- }
- const withPermissions = Component => {
- const C = (props,context) => {
- const { wrappedComponentRef,...remainingProps } = props;
- return (
- <Component permissions={context.permissions} {...remainingProps} ref={wrappedComponentRef} />
- );
- };
- C.displayName = `withPermissions(${Component.displayName || Component.name})`;
- C.WrappedComponent = Component;
- C.propTypes = {
- wrappedComponentRef: PropTypes.func
- };
- C.contextTypes = {
- permissions: PropTypes.array.isrequired
- };
- return hoistStatics(C,Component);
- };
- export { PermissionsProvider as default,withPermissions };
好的,我知道这是很多代码.但这些是HOC(你可以了解更多here).
A higher-order component (HOC) is an advanced technique in React for
reusing component logic. HOCs are not part of the React API,per se.
They are a pattern that emerges from React’s compositional nature.
Concretely,a higher-order component is a function that takes a
component and returns a new component.
基本上我这样做是因为我受到路由器反应的启发.
每当你想知道一些路由的东西,你可以添加装饰器@withRouter,他们将道具注入你的组件.那么为什么不做同样的事呢?
>首先,您必须使用提供程序设置权限
>然后在检查权限的组件上使用withPermissions装饰器
- //App render
- return (
- <PermissionsProvider permissions={permissions}>
- <SomeStuff />
- </PermissionsProvider>
- );
在SomeStuff里面你有一个广泛传播的工具栏来检查权限?
- @withPermissions
- export default class Toolbar extends React.Component {
- render() {
- const { permissions } = this.props;
- return permissions.canDoStuff ? <RenderStuff /> : <HeCantDoStuff />;
- }
- }
如果您不能使用装饰器,则可以像这样导出工具栏
- export default withPermissions(Toolbar);
这是我在实践中展示的代码框:
https://codesandbox.io/s/lxor8v3pkz
笔记:
>我真的非常简化了权限,因为该逻辑来自您的结束,为了演示目的,我简化了它们.>我假设权限是一个数组,这就是为什么我检查HOC中的PropTypes.array>这是一个非常漫长而复杂的答案,我试图用最好的能力表达出来.请不要在这里和那里烧掉我的一些错误:)
