Express.js / Mongoose用户角色和权限 [英] Express.js/Mongoose user roles and permissions
问题描述
在mongoose中有一种方法来确定目前正在由用户执行的CRUD操作的类型?
我找到了一个解决方案。我们有一个权限配置对象来定义每个角色及其权限。
权限配置对象
roles.admin = {
id: admin,
名称:Admin,
描述:,
资源:[
{
id:'blog',
权限:['create','read','update','delete']
},
{
id:'user',
permissions:['create' 'read','update','delete']
},
{
id:'journal',
permissions:['create','read','update ','delete']
},
]
};
roles.editor = {
id:editor,
name:Editor,
description:,
resource:[
{
id:'blog',
权限:['create','read','update','delete']
},
{
id:'user',
permissions:['read']
},
{
id:'journal',
permissions:['create' ,'read','update']
},
]
};
中间件功能
var roles = require('./ config');
var permissions =(function(){
var getRoles = function(role){
var rolesArr = [];
if(typeof role ==='object'&& Array.isArray(role)){
//返回所选角色
for(var i = 0,len = role.length; i
};
return rolesArr;
} else if(typeof role ==='string'||!role){
//返回所有角色
if(!role){
for(var role in roles){
rolesArr.push(roles [role]);
};
}
//返回单个角色
rolesArr.push(roles [role]);
return rolesArr;
}
},
check = function(action,resource,loginRequired ){
return function(req,res,next){
var isAuth = req.isAuthenticated();
//如果用户需要登录&不是
if(loginRequired&!isAuth){
return next(new Error(You must be logged in to view this area));
}
if(isAuth ||!loginRequired){
var authRole = isAuth? req.user.role:'user',
role = get(authRole),
hasPermission = false;
(function(){
for(var i = 0,len = role [0] .resource.length; i< len; i ++){
if [0] .resource [i] .id === resource&&& role [0] .resource [i] .permissions.indexOf(action)!== -1){
hasPermission = true;
return;
}
};
})();
if(hasPermission){
next();
} else {
return next(new Error(你正在尝试+ action +一个+资源+,没有正确的权限。
}
}
}
}
return {
get:function(role){
var roles = getRoles(role);
返回角色;
},
check:function(action,resource,loginRequired){
return check(action,resource,loginRequired);
}
}
})();
module.exports = permissions;
然后我创建了一个中间件功能,当检查方法被调用它从 req 对象(req.user.role)获取用户角色。然后,它会查看传递给中间件的参数,并将它们与权限配置对象中的参数进行交互。
使用middlware路由
app.get('/ journal','** permissions.check('read','journal')**`,function (req,res){
// do stuff
};
I am creating a fairly simple site with Node, Express and Mongoose. The site needs to have have user roles and permissions. My thoughts are that i'll validate permissions based on user interaction with the data base.
In mongoose is there a way to determine the type of CRUD operation currently being carried out possibly by a user?
I've found a solution. It would be great to hear peoples opinions on this.
I have a permissions config object which defines each role and their permissions.
Permissions config object
roles.admin = {
id: "admin",
name: "Admin",
description: "",
resource : [
{
id : 'blog',
permissions: ['create', 'read', 'update', 'delete']
},
{
id : 'user',
permissions: ['create', 'read', 'update', 'delete']
},
{
id : 'journal',
permissions: ['create', 'read', 'update', 'delete']
},
]
};
roles.editor = {
id: "editor",
name: "Editor",
description: "",
resource : [
{
id : 'blog',
permissions: ['create', 'read', 'update', 'delete']
},
{
id : 'user',
permissions: ['read']
},
{
id : 'journal',
permissions: ['create', 'read', 'update']
},
]
};
Middleware function
var roles = require('./config');
var permissions = (function () {
var getRoles = function (role) {
var rolesArr = [];
if (typeof role === 'object' && Array.isArray(role)) {
// Returns selected roles
for (var i = 0, len = role.length; i < len; i++) {
rolesArr.push(roles[role[i]]);
};
return rolesArr;
} else if (typeof role === 'string' || !role) {
// Returns all roles
if (!role) {
for (var role in roles) {
rolesArr.push(roles[role]);
};
}
// Returns single role
rolesArr.push(roles[role]);
return rolesArr;
}
},
check = function (action, resource, loginRequired) {
return function(req, res, next) {
var isAuth = req.isAuthenticated();
// If user is required to be logged in & isn't
if (loginRequired && !isAuth) {
return next(new Error("You must be logged in to view this area"));
}
if (isAuth || !loginRequired) {
var authRole = isAuth ? req.user.role : 'user',
role = get(authRole),
hasPermission = false;
(function () {
for (var i = 0, len = role[0].resource.length; i < len; i++){
if (role[0].resource[i].id === resource && role[0].resource[i].permissions.indexOf(action) !== -1) {
hasPermission = true;
return;
}
};
})();
if (hasPermission) {
next();
} else {
return next(new Error("You are trying to " + action + " a " + resource + " and do not have the correct permissions."));
}
}
}
}
return {
get : function (role) {
var roles = getRoles(role);
return roles;
},
check : function (action, resource, loginRequired) {
return check(action, resource, loginRequired);
}
}
})();
module.exports = permissions;
Then i created a middleware function, when the check method gets called it gets the users role from the req object (req.user.role). It then looks at the params passed to the middleware and cross references them with those in the permissions config object.
Route with middlware
app.get('/journal', `**permissions.check('read', 'journal')**`, function (req, res) {
// do stuff
};
这篇关于Express.js / Mongoose用户角色和权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
