🔒 Node Access Control Lists (ACL).
Alternatives To Aclify
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Node Casbin2,18432802 months ago107September 24, 202218apache-2.0TypeScript
An authorization library that supports access control models like ACL, RBAC, ABAC in Node.js and Browser
Accesscontrol1,67687452 years ago10February 24, 201839mitTypeScript
Role and Attribute based Access Control for Node.js
Aws Lambda Image76613 years ago14June 12, 201946mitJavaScript
Automatic image resize/reduce on AWS Lambda
Blinksocks573424 years ago63March 24, 20194apache-2.0JavaScript
A framework for building composable proxy protocol stack.
4 years ago7September 03, 2018mitJavaScript
Hierarchical Role-Based Access Control for Node.js
Hydrogen Js Sdk178205a month ago26August 18, 202233JavaScript
Bmob 新版ES6 SDK, 新版语法整合微信小程序、快应用、抖音小程序、H5等
Node Data132213 years ago395April 23, 202021mitTypeScript
Node-Data is a Node.js javascript framework for fast and reliable development of next generation apps and micro services targeting scale.
Python Nomad119356 days ago21December 06, 202220mitPython
Client library Hashicorp Nomad
Unix Permissions1192217 days ago28December 12, 2022apache-2.0JavaScript
Swiss Army knife for Unix permissions
Imperium110952 years ago13December 22, 2018mitJavaScript
Role-based Authorizations library for Node.js
Alternatives To Aclify
Select To Compare

Alternative Project Comparisons



Dependencies Coverage Build Status MIT License PRs Welcome


This module provides a Node Access Control Lists implementation inspired by Zend_ACL and node_acl package.

When you develop a web site or application you will soon notice that sessions are not enough to protect all the available resources. Avoiding that malicious users access other users content proves a much more complicated task than anticipated. ACL can solve this problem in a flexible and elegant way.

Create roles and assign roles to users. Sometimes it may even be useful to create one role per user, to get the finest granularity possible, while in other situations you will give the asterisk permission for admin kind of functionality.


$ yarn add @aclify/aclify


  • Users
  • Roles
  • Hierarchies
  • Resources
  • Express middleware for protecting resources.
  • Robust implementation with good unit test coverage.
  • Strict typing



Aclify offers several possibilities to store your data:

  • Memory
  • Redis
  • MongoDB


Create your acl module by requiring it and instantiating it with a valid store instance:

From import

import * as Aclify from '@aclify/aclify';

// Using Redis store
const acl = new Aclify.Acl(new Aclify.RedisStore(RedisClient, {prefix: 'acl_'}));

// Or Using the Memory store
const acl = new Aclify.Acl(new Aclify.MemoryStore());

// Or Using the MongoDB store
const acl = new Aclify.Acl(new Aclify.MongoDBStore(db, {prefix: 'acl_'}));

All the following functions return a Promise.

Create roles implicitly by giving them permissions:

// guest is allowed to view blogs
await acl.allow('guest', 'blogs', 'view');

// allow function accepts arrays as any parameter
await acl.allow('member', 'blogs', ['edit', 'view', 'delete']);

Users are likewise created implicitly by assigning them roles:

await acl.addUserRoles('joed', 'guest');

Hierarchies of roles can be created by assigning parents to roles:

await acl.addRoleParents('baz', ['foo', 'bar']);

Note that the order in which you call all the functions is irrelevant (you can add parents first and assign permissions to roles later)

await acl.allow('foo', ['blogs', 'forums', 'news'], ['view', 'delete']);

Use the wildcard to give all permissions:

await acl.allow('admin', ['blogs', 'forums'], '*');

Sometimes is necessary to set permissions on many different roles and resources. This would lead to unnecessary nested callbacks for handling errors. Instead use the following:

await acl.allow([
        roles:['guest', 'member'],
            {resources:'blogs', permissions:'get'},
            {resources:['forums', 'news'], permissions:['get', 'put', 'delete']}
        roles:['gold', 'silver'],
            {resources:'cash', permissions:['sell', 'exchange']},
            {resources:['account', 'deposit'], permissions:['put', 'delete']}

You can check if a user has permissions to access a given resource with isAllowed:

const isAllowed = await acl.isAllowed('joed', 'blogs', 'view');

if (isAllowed) {
    console.log("User Joed is allowed to view blogs");

Of course arrays are also accepted in this function:

await acl.isAllowed('jsmith', 'blogs', ['edit', 'view', 'delete'])

Note that all permissions must be fulfilled in order to get true.

Sometimes is necessary to know what permissions a given user has over certain resources:

const permissions = await acl.allowedPermissions('james', ['blogs', 'forums']);

It will return an array of resource:[permissions] like this:

    blogs: ['get', 'delete']
    forums:['get', 'put']

Finally, we provide a middleware for Express for easy protection of resources.


We can protect a resource like this:

app.put('/blogs/:id', acl.middleware(), function(req, res, next) {...}

The middleware will protect the resource named by req.url, pick the user from req.session.userId and check the permission for req.method, so the above would be equivalent to something like this:

await acl.isAllowed(req.session.userId, '/blogs/12345', 'put')

The middleware accepts 3 optional arguments, that are useful in some situations. For example, sometimes we cannot consider the whole url as the resource:

app.put('/blogs/:id/comments/:commentId', acl.middleware(3), function(req, res, next) {…}

In this case the resource will be just the three first components of the url (without the ending slash).

It is also possible to add a custom userId or check for other permissions than the method:

app.put('/blogs/:id/comments/:commentId', acl.middleware(3, 'joed', 'post'), function(req, res, next) {…}


addUserRoles( userId, roles )

Adds roles to a given user id.


    userId  {String|Number} User id.
    roles   {String|Array} Role(s) to add to the user id.

removeUser( userId )

Remove user.


    userId  {String|Number} User id.

removeUserRoles( userId, roles )

Remove roles from a given user.


    userId  {String|Number} User id.
    roles   {String|Array} Role(s) to remove to the user id.

userRoles( userId )

Return all the roles from a given user.


    userId  {String|Number} User id.

roleUsers( rolename )

Return all users who has a given role.


    rolename  {String|Number} User id.

hasRole( userId, rolename )

Return boolean whether user has the role


    userId    {String|Number} User id.
    rolename  {String|Number} role name.

addRoleParents( role, parents )

Adds a parent or parent list to role.


    role      {String} Child role.
    parents   {String|Array} Parent role(s) to be added.

removeRoleParents( role, parents )

Removes a parent or parent list from role.

If parents is not specified, removes all parents.


    role      {String} Child role.
    parents   {String|Array} Parent role(s) to be removed [optional].

removeRole( role )

Removes a role from the system.


    role  {String} Role to be removed

removeResource( resource )

Removes a resource from the system


    resource  {String} Resource to be removed

allow( roles, resources, permissions )

Adds the given permissions to the given roles over the given resources.


    roles         {String|Array} role(s) to add permissions to.
    resources     {String|Array} resource(s) to add permisisons to.
    permissions   {String|Array} permission(s) to add to the roles over the resources.

allow( permissionsArray )


    permissionsArray  {Array} Array with objects expressing what permissions to give.
       [{roles: {String|Array}, allows: [{resources:{String|Array}, permissions:{String|Array}]]

removeAllow( role, resources, permissions )

Remove permissions from the given roles owned by the given role.

Note: we loose atomicity when removing empty role_resources.


    role          {String}
    resources     {String|Array}
    permissions   {String|Array}

allowedPermissions( userId, resources )

Returns all the allowable permissions a given user have to access the given resources.

It returns an array of objects where every object maps a resource name to a list of permissions for that resource.


    userId      {String|Number} User id.
    resources   {String|Array} resource(s) to ask permissions for.

isAllowed( userId, resource, permissions )

Checks if the given user is allowed to access the resource for the given permissions (note: it must fulfill all the permissions).


    userId        {String|Number} User id.
    resource      {String} resource to ask permissions for.
    permissions   {String|Array} asked permissions.

areAnyRolesAllowed( roles, resource, permissions )

Returns true if any of the given roles have the right permissions.


    roles         {String|Array} Role(s) to check the permissions for.
    resource      {String} resource to ask permissions for.
    permissions   {String|Array} asked permissions.

whatResources( role )

Returns what resources a given role has permissions over.


    role  {String|Array} Roles

whatResources(role, permissions )

Returns what resources a role has the given permissions over.


    role          {String|Array} Roles
    permissions   {String|Array} Permissions

middleware( [numPathComponents, userId, permissions] )

Middleware for express.

To create a custom getter for userId, pass a function(req, res) which returns the userId when called (must not be async).


    numPathComponents   {Number} number of components in the url to be considered part of the resource name.
    userId              {String|Number|Function} the user id for the acl system (defaults to req.session.userId)
    permissions         {String|Array} the permission(s) to check for (defaults to req.method.toLowerCase())

Creates a new Redis store using Redis client client.


$ yarn test


Run using yarn <script> command.

clean - Removes temporary files
build - Builds typescript files
build:watch - Builds typescript files in watch mode
lint - Checks lint
lint:fix - Auto lint fix
test - Runs tests in dockerized environment
test:coverage - Runs tests



Popular Acl Projects
Popular Nodejs Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.