acl

0.4.11 verified Sat Apr 25 auth: no javascript maintenance

ACL (Access Control List) library for Node.js, version 0.4.11, last updated in 2019. Provides role-based permission management with support for Redis, MongoDB, and in-memory backends. Includes Express middleware for protecting routes. Compared to alternatives like accesscontrol or casl, acl is older and more minimalistic, with a callback/promise API and limited TypeScript support. The package is in maintenance mode; no active development.

Common errors

error TypeError: acl.allow is not a function ↓

cause The variable acl shadows the module import. You used 'new acl()' and then tried to call acl.allow(). After instantiating, the 'acl' variable refers to the instance, not the module.

fix

Use a different variable name for the instance, e.g., const aclInstance = new acl(new acl.redisBackend(client)); aclInstance.allow(...).

error Error: Redis connection to 127.0.0.1:6379 failed ↓

cause Redis server is not running or not accessible.

fix

Start Redis server with 'redis-server' or provide correct host/port in redis.createClient().

error Cannot find module 'acl' ↓

cause Package not installed.

fix

Run 'npm install acl' in your project directory.

error acl.middleware is not a function ↓

cause Attempted to use acl.middleware directly as a middleware instead of calling it.

fix

Use app.use(acl.middleware()) instead of app.use(acl.middleware).

Warnings

gotcha acl.allow() with wildcard '*' does not grant permissions on resources that are not explicitly listed. ↓

fix Use acl.allow('admin', '*', '*') to grant all permissions on all resources, or list all resources explicitly.

gotcha The library does not chain methods; each call returns a promise (or calls callback). ↓

fix Use promises or callbacks; do not attempt method chaining.

deprecated Callbacks are deprecated; use promises instead. ↓

fix Omit callback parameter and use .then().catch() or async/await.

gotcha Redis backend requires a connected client; passing an unconnected client will cause errors. ↓

fix Ensure redisClient is connected before instantiating ACL.

gotcha middleware() with no parameters restricts all routes; you must specify resource and permissions options. ↓

fix Pass option object with 'role' and 'resource' or use acl.middleware(3, 'user', 'username') for dynamic roles.

Install

npm install acl

yarn add acl

pnpm add acl

Imports

acl
wrong
```
import acl from 'acl'
```
correct
```
const acl = require('acl')
```
Package is CommonJS only; no default ESM export.

new acl()

wrong

const acl = new acl.redisBackend()

correct

const acl = new acl(new acl.redisBackend(redisClient))

acl must be instantiated with a backend instance.

acl.middleware
wrong
```
app.use(acl.middleware)
```
correct
```
app.use(acl.middleware())
```
middleware() returns a function; must be called with () even without options.

Quickstart

Creates an ACL instance with Redis backend, allows admin full access to blogs, assigns user 'john' as admin, and checks if john can delete blogs.

const acl = require('acl');
const redis = require('redis');
const client = redis.createClient();
const aclInstance = new acl(new acl.redisBackend(client));
aclInstance.allow('admin', 'blogs', '*');
aclInstance.addUserRoles('john', 'admin');
aclInstance.isAllowed('john', 'blogs', 'delete', (err, allowed) => {
  console.log('Allowed:', allowed); // true
});