wolkenkit
Documentation
News
DocumentationReferenceCreating the write modelConfiguring authorization

Configuring authorization

In any decent application you do not want everybody to run any command or receive any event. Hence use authorization to configure what is granted to whom.

When a user creates an aggregate instance, this user becomes the aggregate's owner. By default, only the owner is allowed to run commands and receive events for a given aggregate instance. To grant this to other users as well, configure authorization for commands and events.

For that, add the command to the initialState.isAuthorized.commands property, or add the event to the initialState.isAuthorized.events property, and set their authorization options.

To grant access to any authenticated user set the forAuthenticated flag to true, to grant access to anyone set the forPublic flag to true. Not providing a flag is equivalent to setting it to false explicitly.

E.g., to grant running issue commands to authenticated users, and grant retrieving issued events to anyone, use the following code:

const initialState = {
  isAuthorized: {
    commands: {
      issue: { forAuthenticated: true, forPublic: false }
    },
    events: {
      issued: { forAuthenticated: true, forPublic: true }
    }
  }
};

Granting access from a command

Sometimes you need to grant or revoke access to commands and events at runtime. For that, use the authorize function of the aggregate instance within a command. This function requires you to provide the commands and events as well as the access rights that you want to change. To grant access set the appropriate value to true, to revoke access set it to false.

E.g., if you want to grant access to the issue command to anyone, and revoke access from the issued event for anyone, use the following code:

invoice.authorize({
  commands: {
    issue: { forPublic: true }
  },
  events: {
    issued: { forPublic: false }
  }
});

Transferring ownership from a command

To transfer ownership of a aggregate instance, use the transferOwnership function of the aggregate instance within a command. This function requires you to provide the id of the new owner using the to property.

E.g., to transfer ownership of an invoice to the user with the id 9d0ad83b-865c-4684-b420-41f630118f1b, use the following code:

invoice.transferOwnership({
  to: '9d0ad83b-865c-4684-b420-41f630118f1b'
});

Only known users

If you provide an id of a non-existent user, the ownership will be transferred anyway. You will not be able to return to the previous state.