返回 Skill 列表
extension
分类: 开发与工程无需 API Key

rockets-access-control

此技能应在向现有模块添加ACL、修改基于角色的访问规则、调试403错误、配置所有权检查或手动编写访问查询服务时使用。对于新模块,应改用带有ACL配置的rockets-crud-generator——它会自动生成所有ACL连接。

person作者: jakexiaohubgithub

Rockets Access Control Skill

When to Use This vs the Generator

  • New module with ACL → use rockets-crud-generator with acl config — it generates all ACL wiring automatically
  • Adding ACL to existing module → follow the Quick Workflow below
  • Modifying ACL rules post-generation → follow the Quick Workflow below
  • Debugging access issues → see Troubleshooting table below
  • Advanced patterns (time-based, custom resources, role hierarchies) → read development-guides/ACCESS_CONTROL_GUIDE.md

Quick Workflow (Manual ACL)

  1. Define resource constants in src/modules/{name}/constants/{name}.constants.ts
  2. Add to AppResource enum in app.acl.ts
  3. Define ACL rules in app.acl.ts (acRules.grant())
  4. Create Access Query Service — uses @InjectDynamicRepository for ownership checks
  5. Register as a provider in the feature module and export it (AccessControlGuard resolves via the controller's host module)
  6. Add controller decorators@UseGuards(AccessControlGuard), @AccessControlQuery, etc.

See development-guides/ACCESS_CONTROL_GUIDE.md for the full Access Query Service pattern and registration code.

Troubleshooting

| Issue | Cause | Fix | |-------|-------|-----| | 403 on all requests | Resource not in acRules | Add acRules.grant() in app.acl.ts | | 403 for users only | Missing Own permissions | Add createOwn/readOwn/etc. | | Access Query always denies | Default return false | Implement ownership check in canAccess() | | 500 "provider does not exist" | Access query service not in controller's module | Add to providers + exports in the feature module | | Users see all resources | No ownership filtering | Implement readOwn in Access Query using @InjectDynamicRepository |

Full Reference

development-guides/ACCESS_CONTROL_GUIDE.md