@@ -3168,6 +3168,65 @@ process.permission.has('fs.read', './README.md');
31683168process .permission .has (' fs.read' );
31693169` ` `
31703170
3171+ ### ` process .permission .drop (scope[, reference])`
3172+
3173+ <!-- YAML
3174+ added: REPLACEME
3175+ -->
3176+
3177+ > Stability: 1.1 - Active Development
3178+
3179+ * ` scope` {string}
3180+ * ` reference` {string}
3181+
3182+ Drops the specified permission from the current process. This operation is
3183+ **irreversible** — once a permission is dropped, it cannot be restored through
3184+ any Node.js API.
3185+
3186+ If no reference is provided, the entire scope is dropped. For example,
3187+ ` process .permission .drop (' fs.read' )` will revoke ALL file system read
3188+ permissions.
3189+
3190+ When a reference is provided, only the permission for that specific resource
3191+ is dropped. For example, ` process .permission .drop (' fs.read' , ' /etc/myapp' )`
3192+ will revoke read access to that directory while keeping other read
3193+ permissions intact.
3194+
3195+ **Important:** You can only drop the exact resource that was explicitly
3196+ granted. The reference passed to ` drop ()` must match the original grant:
3197+
3198+ * If a permission was granted using a wildcard (` * ` ), such as
3199+ ` -- allow- fs- read= * ` , individual paths cannot be dropped - only the entire
3200+ scope can be dropped (by calling ` drop ()` without a reference).
3201+ * If a directory was granted (e.g. ` -- allow- fs- read= / my/ folder` ), you cannot
3202+ drop access to individual files inside it. You must drop the same directory
3203+ that was granted. Any remaining grants continue to apply.
3204+
3205+ The available scopes are the same as [` process .permission .has ()` ][]:
3206+
3207+ * ` fs` - All File System (drops both read and write)
3208+ * ` fs .read ` - File System read operations
3209+ * ` fs .write ` - File System write operations
3210+ * ` child` - Child process spawning operations
3211+ * ` worker` - Worker thread spawning operation
3212+ * ` net` - Network operations
3213+ * ` inspector` - Inspector operations
3214+ * ` wasi` - WASI operations
3215+ * ` addon` - Native addon operations
3216+
3217+ ` ` ` js
3218+ const fs = require (' node:fs' );
3219+
3220+ // Read configuration during startup
3221+ const config = fs .readFileSync (' /etc/myapp/config.json' , ' utf8' );
3222+
3223+ // Drop read access to the config directory after initialization
3224+ process .permission .drop (' fs.read' , ' /etc/myapp' );
3225+
3226+ // This will now throw ERR_ACCESS_DENIED
3227+ fs .readFileSync (' /etc/myapp/config.json' );
3228+ ` ` `
3229+
31713230## ` process .pid `
31723231
31733232<!-- YAML
@@ -4585,6 +4644,7 @@ cases:
45854644[` process .hrtime ()` ]: #processhrtimetime
45864645[` process .hrtime .bigint ()` ]: #processhrtimebigint
45874646[` process .kill ()` ]: #processkillpid-signal
4647+ [` process .permission .has ()` ]: #processpermissionhasscope-reference
45884648[` process .setUncaughtExceptionCaptureCallback ()` ]: #processsetuncaughtexceptioncapturecallbackfn
45894649[` promise .catch ()` ]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Promise/catch
45904650[` queueMicrotask ()` ]: globals.md#queuemicrotaskcallback
0 commit comments