我們已經做了多次訪問級別和貓鼬的幾個項目,這一直是我們最喜歡的方法,到目前爲止:
var ACCESS_MODES = 'public followers private explicit'.split(' ');
var projectSchema = new Schema({
access: { type: String, enum: ACCESS_MODES, required: true, default: 'public' },
owner: { type: Schema.Types.ObjectId, ref: 'User' }]
});
然後,我們通常執行模式上的一些自定義的接入方式,如:
projectSchema.statics.getByIdFor = function(user, id, done) {
this.findOne({ _id: id }).populate('owner').exec(onFound);
function onFound(err, project) {
// now check 'user' against the project's access method:
if (project.access === 'public') return done(undefined, project);
if (project.access === 'private') {
// ...etc, handle the logic for access at different levels
}
// finally, they didn't get access
done(new Error('no permission to access this project'));
}
};
所以,你現在可以做這樣的事情,並且知道它是安全的:
ProjectModel.findByIdFor(loggedinUser, req.params.projectId, onFound);
要找到所有的項目,用戶可以訪問:
projectSchema.statics.getForUser = function(user, done) {
var accessible = [];
this.find({ access: 'public' }).exec(onPublic);
this.find({ access: 'followers' }).populate('owner').exec(onFollowers);
this.find({ access: 'private', owner: user }).exec(onPrivate);
this.find({ access: 'explicit' }).populate('owner').exec(onExplicit);
// add onPublic/Followers/Private/Explicit to accessible where user is in the correct list
};
這些權限僅用於讀取操作 - 即:您允許組中的成員只讀取文檔,而不是編輯它? - 或者,像谷歌文檔,你可以設置一些用戶閱讀,一些編輯等... – Alex
只讀詳細信息。 – HGandhi