NodeJS Permissions

Lecture examples for the Node.js Permission Model (Node 25+). The model is stable and enabled with --permission (not --experimental-permission).

Requirements

• Node.js 25+

Layout

File	Purpose
config.json	Demo config (apiUrl, logFile).
app.js	Main demo app: reads config, writes log, HTTP get, worker, child process.
worker.js	Worker used by app.js.
1-default.js / 1-default.sh	Run without permission mode.
2-deny.sh	--permission only → fails (deny by default).
3-fs-read.sh	Allow only config read.
4-fs-write.sh	Config read + log write.
5-net.sh	+ network.
6-worker.sh	+ worker (and worker.js read).
7-child.sh	+ child process (full allow-list).
8-runtime-check.js / 8-runtime-check.sh	process.permission.has() demo.

Run demos

From repo root (scripts cd into JavaScript/):

chmod +x JavaScript/*.sh
./JavaScript/1-default.sh   # no restrictions
./JavaScript/2-deny.sh      # fails with ERR_ACCESS_DENIED
./JavaScript/3-fs-read.sh   # only config read
./JavaScript/4-fs-write.sh  # + log write (ensure JavaScript/var exists)
./JavaScript/5-net.sh       # + network
./JavaScript/6-worker.sh    # + worker
./JavaScript/7-child.sh     # full allow-list
./JavaScript/8-runtime-check.sh  # runtime permission checks

Or from JavaScript/:

node 1-default.js
node --permission app.js
# etc.

CLI flags used

• --permission — enable permission model (deny by default).
• --allow-fs-read=<path> — allow fs read (multiple flags for multiple paths).
• --allow-fs-write=<path> — allow fs write.
• --allow-net — allow network.
• --allow-worker — allow worker threads.
• --allow-child-process — allow child processes.

Entrypoint script (e.g. app.js) is implicitly readable when permission mode is on.