Skip to content

Instantly share code, notes, and snippets.

View gustavi's full-sized avatar

Augustin LAVILLE gustavi

View GitHub Profile
@mikermcneil
mikermcneil / sails-policy-best-practices-and-faq.md
Last active July 11, 2019 09:48
FAQ and best practices for using policies in Sails.js

Policies in Sails.js

Policies are additive. Anything you might do with policies, you could just implement in your custom actions directly. But they can make your life a lot easier.

When should I use policies?

Policies can be used like middleware, meaning you can do almost anything you can imagine with them. That said, our experience using Sails to build all sorts of different apps has taught us that policies are best used for one, very specific purpose: preventing access to actions for certain users (or types of users) where those actions are not accessible in the UI. That is, policies are best used like preconditions-- you can use them to take care of edge cases that are only possible by cheating the UI.

For example, imagine you're building an action called changePassword in your UserController. Its job is to take the new password that was provided, encrypt it, then update the database record for the currently-logged-in user to save the new encryped password. When you implement and test

<?php
if (!isset($_GET['mail']))
highlight_file(__FILE__) && exit();
$mail = filter_var($_GET['mail'], FILTER_VALIDATE_EMAIL);
$addr = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP);
$country = geoip_country_code_by_name($addr);
if (!$addr || strlen($addr) == 0) die('bad addr');
if (!$mail || strlen($mail) == 0) die('bad mail');