1. 首頁
  2. 問答
  3. Node.js中的組級別角色授權

Node.js中的組級別角色授權

2014-08-29 102 views
0

我在Express應用程序中使用Passport.js進行身份驗證。Node.js中的組級別角色授權

我需要實施基於角色的授權,並且我傾向於連接角色 ,因爲它很容易與Passport集成。

我明白基本角色是如何被授權的(例如Admin,User,Editor),但我需要 來授權這些角色在組的上下文中。

簡化用例爲: 頁面的管理員只能查看和編輯他正在管理的頁面的詳細信息。

如何將基本角色與組分配相結合,是否必須扮演角色步驟 或者在通行證身份驗證中檢查資源訪問權限?

來源

2014-08-29 BarakChamo

回答

1

這就是我所做的。它沒有完全使用護照,但效果很好(我從Ghost獲得靈感)。我不知道這是否是一個很好的做法,或者它是安全的,但在這裏它是:

的config.json包含的權限:

"user_groups": { 
    "admin": { 
     "full_name": "Administrators", 
     "description": "Adminsitators.", 
     "allowedActions": "all" 
    }, 
    "modo": { 
     "full_name": "Moderators", 
     "description": "Moderators.", 
     "allowedActions": ["mod:*", "comment:*", "user:delete browse add banish edit"] 
    }, 
    "user": { 
     "full_name": "User", 
     "description": "User.", 
     "allowedActions": ["mod:browse add star", "comment:browse add", "user:browse"] 
    }, 
    "guest": { 
     "full_name": "Guest", 
     "description": "Guest.", 
     "allowedActions": ["mod:browse", "comment:browse", "user:browse add"] 
    } 
    }

再有就是permissions.coffee文件

mongoose = require("mongoose") 
### 
This utility function determine whether an user can do this or this 
using the permissions. e. g. "mod" "delete" 

@param userId the id of the user 
@param object the current object name ("mod", "user"...) 
@param action to be executed on the object (delete, edit, browse...) 
@param owner the optional owner id of the object to be "actionned" 
### 
exports.canThis = ((userId, object, action, ownerId, callback) -> 
    User = mongoose.model("User") 
    if typeof ownerId is "function" 
    callback = ownerId 
    ownerId = undefined 
    if userId is "" 
    return process(undefined, object, action, ownerId, callback) 
    User.findById(userId, (err, user) -> 
    if err then return callback err 
    process(user, object, action, ownerId, callback) 
) 
).toPromise(@) 

process = (user, object, action, ownerId, callback) -> 
    if user then role = user.role or "user" 
    group = config.user_groups[role or "guest"] 
    if not group then return callback(new Error "No suitable group") 

    # Parses the perms 
    actions = group.allowedActions 
    for objAction in actions when objAction.indexOf object is 0 
    # We get all the allowed actions for the object and group 
    act = objAction.split(":")[1] 
    obj = objAction.split(":")[0] 
    if act.split(" ").indexOf(action) isnt -1 and obj is object 
     return callback true 

    callback false 

config = require "../config"

然後一些使用(使用Q):

exports.edit = (userid, name) -> 
    # Q promise 
    deferred = Q.defer() 
    # default value 
    can = false 
    # We check wheteher it can or not 
    canThis(userid, "user", "edit").then((can)-> 
    if not userid 
     return deferred.reject(error.throwError "", "UNAUTHORIZED") 
    User = mongoose.model "User" 
    User.findOne({username: name}).select("username location website public_email company bio").exec() 
).then((user) -> 
    # Can the current user do that? 
    if not user._id.equals(userid) and can is false 
     return deferred.reject(new Error()) 
    # Done! 
    deferred.resolve user 
).fail((err) -> 
    deferred.reject err 
) 
    deferred.promise

來源

2014-08-29 11:46:51 Vinz243

+0

感謝@ Vinz243!儘管從我的理解來看,授權是全球性的,因爲管理員可以執行允許管理員執行的所有操作。我正在尋找一種限制團體協會的方式,你是否在做類似的事情? – BarakChamo 2014-08-29 13:16:21

+0

@BarakChamo「我正在尋找一種限制團體協會的方式」對不起,我不明白你的意思。 – Vinz243 2014-08-29 16:34:24

+0

一個例子是:一個帖子的編輯可以編輯他的帖子,但不能編輯他人的帖子。所以他是一個角色編輯,但他也與這個職位有關。 – BarakChamo 2014-08-29 16:37:56

相關問題

 相關問題