Module access

The areto/filters/AccessControl filter is used in Admin class objects to protect the Admin module from unauthorized access. This filter based on rules defined in the rules parameter. Each rule element initializes areto/filters/AccessRule class object.

This allow property defines the type of rules allowing (true) or forbidding (false). Permissions property contains an array of access right items that use this rule. In addition to items in rbac/items file, there are two built-in roles:

  • ? - an guest (anonymous) user.
  • @ - a logged-on user.


const Base = require('areto/base/Module');

module.exports = class Admin extends Base {

  static getConstants ()  {
    return {
      BEHAVIORS: {
        access: {
          Class: require('areto/filters/AccessControl'),
          rules: [{
            allow: true,
            permissions: ['reader']

If a user is anonymous, the filter will redirect him to the login form. If a user is logged and does not have access, then "403 Access Denied" message is displayed.