Allow or deny access on certain resources from your application, e.g.

/* @runkit */
// register extension

// overload definition
Grown('Access', {
  access_filter: ctx => {
    // retrieve role from the URL
    const matches = ctx.req.url.match(/[&?]role=(\w+)/);

    if (matches) {
      return matches[1];

// setup rules
    roles: [
    resources: {
      // this rule will block all requests
      Website: '/**',

      // but only these requests will be allowed
      Public: /^\/(?:login|logout|public)/,
    permissions: {
      Website: {
        // User and its parents' roles get access too!
        User: 'allow',
      Public: 'allow',

// once Access is plugged on the server
// all new middleware gets protected by default
server.mount(ctx => {
  ctx.res.write('You are welcome!');

  // validate against undefined rules
  return ctx.check('Foo', 'Bar', 'baz')
    .catch(() => {
      ctx.res.write('\nNot here...');

Click ► RUN and try loading different URLs like /etc or /login in your browser.

Methods mixin

  • check(role, resource[, action]) — Validate given rules through the current connection, returns a promise. If no role is given it'll try to call access_filter to retrieve one.

Public props static

  • resources — Collected resources from rules calls.
  • permissions — Collected permissions from rules calls.

Public methods static

  • $install(ctx) — Used by server.plug calls.
  • $mixins() — Extra Grown.Conn.Builder definitions.
  • rules(config) — Compile given config into access rules.

Private* props static

  • _groups — Graph from collected roles.
  • _ruleset — Collection of compiled rules.

Private* methods static

  • _reduceHandler(handler, permissions) — Check if handler exists within permissions, returns null otherwise.
  • _compileMatch(rule) — Turns a single rule into a middleware callback.
  • _makeMatcher(ruleset) — Iterates the given ruleset and compile each one. It returns a middleware callback.
  • _makeTree(role, groups, property) — Returns a flat representation of the given role in the groups graph, property can be children or parent.
  • _runACL(ctx, role, handlers) — Validate role access through ctx. Given handlers should be an array of single resources and actions. It returns a promise.

➯ Next: Extensions ⟩ Bud