Role-based access control for mongoose apps.
- mongoose ~3.6.11
npm install mongoose-rbac --save
mongoose-rbac gives you the building blocks to lock down your app with role-based access control and gets out of your way.
Generally, you will want to do the following:
- Create a
Permission
for each action you desire to control. APermission
consists of asubject
and anaction
. - Create a
Role
for each role you wish to assign. ARole
only requires a uniquename
. - Assign the desired set of permissions to each role.
- Use the mongoose-rbac plugin in your user schema.
Following is a typical example. Let's imagine we are managing a blog with users, preferences, posts and comments. First, we will define our permissions and roles:
// permissions.js
var rbac = require('mongoose-rbac')
, Permission = rbac.Permission
, Role = rbac.Role
, permissions;
permissions = [
{ subject: 'Post', action: 'create' }
, { subject: 'Post', action: 'read' }
, { subject: 'Post', action: 'update' }
, { subject: 'Post', action: 'delete' }
, { subject: 'Comment', action: 'create' }
, { subject: 'Comment', action: 'read' }
, { subject: 'Comment', action: 'update' }
, { subject: 'Comment', action: 'delete' }
, { subject: 'Preference', action: 'create' }
, { subject: 'Preference', action: 'read' }
, { subject: 'Preference', action: 'update' }
, { subject: 'Preference', action: 'delete' }
];
Permission.create(permissions, function (err) {
var perms, admin, developer, readonly;
perms = Array.prototype.slice.call(arguments, 1);
admin = new Role({ name: 'admin' });
admin.permissions = perms;
admin.save(function (err, admin) {
developer = new Role({ name: 'developer' });
developer.permissions = perms.slice(0, 7);
developer.save(function (err, developer) {
readonly = new Role({ name: 'readonly' });
readonly.permissions = [perms[1], perms[5], perms[9]];
readonly.save(function (err, readonly) {
// ...
});
});
});
});
Alternatively we can use init
to easily bootstrap roles and permissions:
// permissions.js
var rbac = require('mongoose-rbac');
rbac.init({
admin: [
['create', 'Post'],
['read', 'Post'],
['update', 'Post'],
['delete', 'Post']
],
readonly: [
// we can also specify permissions as an object
{ action: 'read', subject: 'Post' }
]
}, function (err, admin, readonly) {
console.log(admin);
/*
{ __v: 1,
name: 'admin',
_id: 513c14dbc90000d10100004e,
permissions: [ 513c14dbc90000d101000044,
513c14dbc90000d101000045,
513c14dbc90000d101000046,
513c14dbc90000d101000047 ] }
*/
console.log(readonly);
/*
{ __v: 1,
name: 'readonly',
_id: 513c14dbc90000d10100004f,
permissions: [ 513c14dbc90000d101000045 ] }
*/
});
Next, we will enhance our user model with the mongoose-rbac plugin:
// user.js
var mongoose = require('mongoose')
, rbac = require('mongoose-rbac')
, UserSchema
, User;
UserSchema = mongoose.Schema({
username: String,
passwordHash: String
});
UserSchema.plugin(rbac.plugin);
module.exports = mongoose.model('User', UserSchema);
Finally, we can assign roles to our users and control their access to system resources:
var User = require('user')
, user;
user = new User({ username: 'hercules' });
user.save();
user.addRole('admin', function (err) {});
user.hasRole('admin', function (err, isAdmin) {
console.log(isAdmin); // true
});
user.can('create', 'Post', function (err, can) {
if (can) {
// ok
}
else {
// insufficient privileges
}
});
user.canAny([['read', 'Post'], ['create', 'Post']], function (err, canReadOrCreate) {
if (canReadOrCreate) {
// ok
}
else {
// insufficient privileges
}
});
user.removeRole('admin', function (err) {});
Check if the model has the given role.
role
String or Rolecallback(err, bool)
Function
Add the given role to the model.
role
String or Rolecallback(err)
Function
Remove the given role from the model.
role
String or Rolecallback(err)
Function
Check if the model has the given permisison.
action
Stringsubject
Stringcallback(err, bool)
Function
Check if the model has any of the given permissions.
actionsAndSubjects
Array (of[String, String]
)callback(err, bool)
Function
Check if the model has all of the given permissions.
actionsAndSubjects
Array (of [String, String])callback(err, bool)
Function
To run the tests, clone the repository and install the dev dependencies:
git clone git://github.com/bryandragon/mongoose-rbac.git
cd mongoose-rbac && npm install
make test
Copyright (c) 2013 Bryan Dragon
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.