Add permission whitelist docs (denoland#2365)

mamounothman · May 16, 2019 · 9c9c58c · 9c9c58c
1 parent 6679c48
commit 9c9c58c
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/cli/flags.rs b/cli/flags.rs
@@ -191,6 +191,9 @@ ability to spawn subprocesses.
  # run program with permission to read from disk and listen to network
  deno run --allow-net --allow-read https://deno.land/std/http/file_server.ts
 
+ # run program with permission to read whitelist files from disk and listen to nework
+ deno run --allow-net --allow-read=$(pwd) https://deno.land/std/http/file_server.ts 
+
  # run program with all permissions
  deno run -A https://deno.land/std/http/file_server.ts
 ",

diff --git a/website/manual.md b/website/manual.md
@@ -357,6 +357,37 @@ And if you ever want to upgrade to the latest published version:
 $ file_server --reload
 ```
 
+### Permissions whitelist
+
+deno also provides permissions whitelist.
+
+This is an example to restrict File system access by whitelist.
+
+```shellsession
+$ deno run --allow-read=/usr https://deno.land/std/examples/cat.ts /etc/passwd
+⚠️ Deno requests read access to "/etc/passwd". Grant? [a/y/n/d (a = allow always, y = allow once, n = deny once, d = deny always)]
+```
+
+You can grant read permission under `/etc` dir
+
+```shellsession
+$ deno run --allow-read=/etc https://deno.land/std/examples/cat.ts /etc/passwd
+```
+
+`--allow-write` works same as `--allow-read`.
+
+This is an example to restrict host.
+
+```ts
+(async () => {
+ const result = await fetch("https://deno.land/std/examples/echo_server.ts");
+})();
+```
+
+```shellsession
+$ deno run --allow-net=deno.land allow-net-whitelist-example.ts
+```
+
 ### Run subprocess
 
 [API Reference](https://deno.land/typedoc/index.html#run)