Access Control
Lucent provides fine-grained access control for your collections.
Global Access Rules
Define access rules in your configuration:
typescript
export default defineConfig({
access: {
// Who can perform what operations
can: {
// Create any record
create: () => true,
// Read any record
read: () => true,
// Update any record
update: () => true,
// Delete any record
delete: () => true,
// Custom rules
publish: (user) => user?.role === "admin",
},
},
});Collection-Level Access
typescript
export const posts = defineCollection({
name: "posts",
access: {
create: (user) => !!user,
read: () => true,
update: (user, record) => user?.id === record.authorId || user?.role === "admin",
delete: (user, record) => user?.role === "admin",
},
});Field-Level Access
typescript
export const users = defineCollection({
name: "users",
fields: {
email: { type: "email", required: true },
password: { type: "string", hidden: true },
role: { type: "select", options: ["user", "admin"] },
// Only admins can see other users' emails
access: {
read: (user, record) => user?.role === "admin" || user?.id === record.id,
},
},
});Access Context
Access functions receive the user and record:
typescript
access: {
// user - the authenticated user (or null)
// record - the record being accessed (for update/delete)
// data - the data being submitted (for create/update)
update: (user, record, data) => {
if (!user) return false;
if (user.role === "admin") return true;
return record.authorId === user.id;
};
}Built-in Helpers
typescript
import { allow, deny, ownerOnly, roles } from "@lucent/core";
// Allow everyone
allow: () => true;
// Deny everyone
deny: () => false;
// Only the record owner
ownerOnly: "authorId";
// Specific roles only
roles: ["admin", "moderator"];