Overview

You can define fine-grained access control and resource policies in your nuxt.config.ts under the autoCrud key.

Example Configuration

// nuxt.config.ts
export default defineNuxtConfig({
  autoCrud: {
    resources: {
      // Guest View: Only these columns are visible to unauthenticated users.
      // Access control (who can list/read) is managed by your DB permissions.
      users: ['id', 'name', 'avatar'], 
    },
  },
})

Advanced Field Visibility

Currently, nuxt-auto-crud simplifies visibility into two tiers:

1. Guest (Unauthenticated): Restricted by publicColumns.
2. Authenticated (All Roles): Sees all fields (except globally hidden ones like password).

Industry Standard for Granular Control: In enterprise applications requiring role-specific field visibility (e.g., "Managers" see salary, "Employees" do not), the standard approach is Field-Level Security (FLS) stored in the database or handled via API Resources/Transformers in code.

As nuxt-auto-crud focuses on MVP speed and simplicity, role-specific field filtering is currently out of scope for the configuration file. If you require this level of granularity, we recommend:

• Creating a custom API endpoint for that specific view.
• Contributing to the project to add DB-based Field Permissions.

Security Note

Even in full-stack applications where you control the UI, relying on the frontend to "not display" sensitive data is a security vulnerability. The data is still visible in the browser's Network tab.

• Global Hiding: Fields like password, secret, and token are automatically hidden from ALL responses by default.
• Context Hiding: Use the resources config (as shown above) to filter other semi-sensitive fields (like email or phone) specifically from public guest responses.