RBAC 與 ABAC
Vibe Prompt
「幫我設計一個 RBAC 系統:有 admin、editor、viewer 三種角色,admin 可以管理全部,editor 可以編輯內容,viewer 只能閱讀。」
RBAC 實作
// 角色定義
const ROLES = {
admin: ['read', 'write', 'delete', 'manage_users'],
editor: ['read', 'write'],
viewer: ['read'],
} as const;
// 權限檢查
function authorize(user, requiredPermission) {
const permissions = ROLES[user.role] || [];
return permissions.includes(requiredPermission);
}
// Express Middleware
function requirePermission(permission) {
return (req, res, next) => {
if (!authorize(req.user, permission)) {
return res.status(403).json({ error: '權限不足' });
}
next();
};
}
app.get('/api/users', requirePermission('manage_users'), (req, res) => {
res.json(users);
});
ABAC(屬性基礎)
// ABAC Policy:使用者只能編輯自己的文章
function canEditArticle(user, article) {
return user.id === article.authorId || user.role === 'admin';
}
// ABAC Policy:只有在上班時間才能刪除
function canDelete(user) {
const hour = new Date().getHours();
return user.role === 'admin' && hour >= 9 && hour <= 18;
}
Supabase RLS(Row Level Security)
-- 使用者只能看自己的訂單
CREATE POLICY "Users can view own orders"
ON orders FOR SELECT
USING (auth.uid() = user_id);
-- Admin 可以看全部
CREATE POLICY "Admins can view all"
ON orders FOR SELECT
USING (auth.jwt() ->> 'role' = 'admin');