Skip to main content

Class: PermissionEnforcer

Defined in: src/plugins/sandbox/permission-enforcer.ts:75

Permission enforcer implementation.

Remarks

Provides runtime permission enforcement for plugins:

  • Network access by domain allowlist
  • Storage quota enforcement
  • Hook access by declared permissions

Uses ES6 Proxy to wrap service interfaces and check permissions before each method call.

Example

const enforcer = container.resolve(PermissionEnforcer);

// Check permission
if (enforcer.checkPermission(plugin, 'network:api.github.com')) {
  // Plugin can access github
}

// Create proxied service
const proxiedCache = enforcer.createPermissionProxy(
  cache,
  'storage:write',
  plugin
);

// Enforce network access
enforcer.enforceNetworkAccess(plugin, 'api.github.com');

Implements

Constructors

new PermissionEnforcer()

new PermissionEnforcer(logger): PermissionEnforcer

Defined in: src/plugins/sandbox/permission-enforcer.ts:91

Creates a new PermissionEnforcer.

Parameters

logger

ILogger

Logger instance

Returns

PermissionEnforcer

Methods

checkPermission()

checkPermission(plugin, permission): boolean

Defined in: src/plugins/sandbox/permission-enforcer.ts:117

Checks if a plugin has a specific permission.

Parameters

plugin

IChivePlugin

Plugin to check

permission

string

Permission string

Returns

boolean

True if permission is granted

Remarks

Permission string formats:

  • network:domain.com - Network access to domain
  • hook:event.name - Hook subscription
  • storage:read or storage:write - Storage access

Example

if (enforcer.checkPermission(plugin, 'network:api.github.com')) {
  // Plugin can access github
}

Implementation of

IPermissionEnforcer.checkPermission

createPermissionProxy()

createPermissionProxy<T>(service, requiredPermission, plugin): T

Defined in: src/plugins/sandbox/permission-enforcer.ts:163

Creates a permission-checking proxy for a service.

Type Parameters

T extends object

Parameters

service

T

Service to wrap

requiredPermission

string

Permission required to access service

plugin

IChivePlugin

Plugin requesting access

Returns

T

Proxied service that checks permissions on each call

Remarks

The returned proxy intercepts all method calls and checks the required permission before delegating to the actual method.

Example

const proxiedCache = enforcer.createPermissionProxy(
  cache,
  'storage:write',
  plugin
);

// This will check permission before calling set
await proxiedCache.set('key', 'value');

Implementation of

IPermissionEnforcer.createPermissionProxy

decreaseStorageUsage()

decreaseStorageUsage(pluginId, sizeBytes): void

Defined in: src/plugins/sandbox/permission-enforcer.ts:366

Internal

Decreases storage usage for a plugin.

Parameters

pluginId

string

Plugin ID

sizeBytes

number

Size to subtract

Returns

void

Remarks

Called when data is deleted from plugin storage.

enforceHookAccess()

enforceHookAccess(plugin, hookName): void

Defined in: src/plugins/sandbox/permission-enforcer.ts:316

Enforces hook access permission.

Parameters

plugin

IChivePlugin

Plugin requesting hook access

hookName

string

Hook being accessed

Returns

void

Throws

If hook not allowed

Example

enforcer.enforceHookAccess(plugin, 'preprint.indexed');
// Throws if plugin doesn't have hook:preprint.indexed permission

Implementation of

IPermissionEnforcer.enforceHookAccess

enforceNetworkAccess()

enforceNetworkAccess(plugin, domain): void

Defined in: src/plugins/sandbox/permission-enforcer.ts:224

Enforces network access permission.

Parameters

plugin

IChivePlugin

Plugin requesting access

domain

string

Domain being accessed

Returns

void

Throws

If access denied

Example

enforcer.enforceNetworkAccess(plugin, 'api.github.com');
// Throws if plugin doesn't have network:api.github.com permission

Implementation of

IPermissionEnforcer.enforceNetworkAccess

enforceStorageLimit()

enforceStorageLimit(plugin, sizeBytes): void

Defined in: src/plugins/sandbox/permission-enforcer.ts:260

Enforces storage limit.

Parameters

plugin

IChivePlugin

Plugin requesting storage

sizeBytes

number

Size of data being stored

Returns

void

Throws

If quota exceeded

Example

const dataSize = JSON.stringify(data).length;
enforcer.enforceStorageLimit(plugin, dataSize);
// Throws if adding dataSize would exceed quota

Implementation of

IPermissionEnforcer.enforceStorageLimit

getStorageUsage()

getStorageUsage(pluginId): number

Defined in: src/plugins/sandbox/permission-enforcer.ts:351

Gets current storage usage for a plugin.

Parameters

pluginId

string

Plugin ID

Returns

number

Current storage usage in bytes, or 0 if not tracked

resetStorageUsage()

resetStorageUsage(pluginId): void

Defined in: src/plugins/sandbox/permission-enforcer.ts:337

Resets storage usage tracking for a plugin.

Parameters

pluginId

string

ID of plugin to reset

Returns

void

Remarks

Called when a plugin is unloaded or when storage is cleared.

Implementation of

IPermissionEnforcer.resetStorageUsage