cube.js 基于queryRewrite 进行安全控制

基于queryRewrite 我们可以做强大的安全控制，比如基于角色的访问控制以及基于列的访问控制

基于角色的访问控制

module.exports = {

  queryRewrite: (query, { securityContext }) => {

    if (!securityContext.role) {

      throw new Error('No role found in Security Context!');

    }

 

    if (securityContext.role == 'manager') {

      query.filters.push({

        member: 'Orders.status',

        operator: 'equals',

        values: ['shipped', 'completed'],

      });

    }

 

    if (securityContext.role == 'operator') {

      query.filters.push({

        member: 'Orders.status',

        operator: 'equals',

        values: ['processing'],

      });

    }

 

    return query;

  },

};

基于列的访问控制

module.exports = {

  queryRewrite: (query, { securityContext }) => {

    const cubeNames = [

      ...Array.from(query.measures, (e) => e.split('.')[0]),

      ...Array.from(query.dimensions, (e) => e.split('.')[0]),

    ];

 

    if (cubeNames.includes('Products')) {

      if (!securityContext.email) {

        throw new Error('No email found in Security Context!');

      }

 

      query.filters.push({

        member: `Suppliers.email`,

        operator: 'equals',

        values: [securityContext.email],

      });

    }

 

    return query;

  },

};

说明

以上内容是基于官方文档的，是一个不错的资料

参考资料

https://cube.dev/docs/recipes/column-based-access
https://cube.dev/docs/recipes/role-based-access