Rockets Access Control Skill
When to Use This vs the Generator
- New module with ACL → use
rockets-crud-generatorwithaclconfig — it generates all ACL wiring automatically - Adding ACL to existing module → follow the Quick Workflow below
- Modifying ACL rules post-generation → follow the Quick Workflow below
- Debugging access issues → see Troubleshooting table below
- Advanced patterns (time-based, custom resources, role hierarchies) → read
development-guides/ACCESS_CONTROL_GUIDE.md
Quick Workflow (Manual ACL)
- Define resource constants in
src/modules/{name}/constants/{name}.constants.ts - Add to AppResource enum in
app.acl.ts - Define ACL rules in
app.acl.ts(acRules.grant()) - Create Access Query Service — uses
@InjectDynamicRepositoryfor ownership checks - Register as a provider in the feature module and export it (AccessControlGuard resolves via the controller's host module)
- Add controller decorators —
@UseGuards(AccessControlGuard),@AccessControlQuery, etc.
See development-guides/ACCESS_CONTROL_GUIDE.md for the full Access Query Service pattern and registration code.
Troubleshooting
| Issue | Cause | Fix |
|-------|-------|-----|
| 403 on all requests | Resource not in acRules | Add acRules.grant() in app.acl.ts |
| 403 for users only | Missing Own permissions | Add createOwn/readOwn/etc. |
| Access Query always denies | Default return false | Implement ownership check in canAccess() |
| 500 "provider does not exist" | Access query service not in controller's module | Add to providers + exports in the feature module |
| Users see all resources | No ownership filtering | Implement readOwn in Access Query using @InjectDynamicRepository |
Full Reference
development-guides/ACCESS_CONTROL_GUIDE.md
微信扫一扫