I just started working on adding permissions to models in my WIP Prometheus ODM.
The idea is that I, a developer, want to describe granular access rules to resources. I am going to deal with the most common access types: CRUD (Create, Read, Update, Destroy) + Transfer.
In a typical system there also most generic role types: guest, user (someone with an active session), resource owner and administrator.
Specifically, in the Node.js application I am working on now everyone accessing web or REST interface is considered a user, and until they sign in using credentials, they’re assigned a guest role. Once they authenticate in the application, their roles are either loaded from the database, e.g. role of administrator, or they must be dynamically calculated based on user’s relation to a given resource, e.g. owner. In practice there may be more roles that the above four, therefore we want to be flexible and allow developers to add any number of arbitrary roles and corresponding privilege checkers, e.g. company_user, group_user, the_posse, etc.
Now every time anyone is trying to perform an action on an object, we want to know if their privileges allow them to do so. In the simplest form, we want to have a function corresponding to an action, that returns true or false depending on the result of user privilege check.
Prometheus ORM will focus on the four basic roles and corresponding privilege checkers. In order to use privilege checks on the model, I have added new properties to model options. Now each model description has two new properties:
roles — latter is optional. Roles property lists additional, custom roles, in the same format they are described in
lib/includes/roles.js, which means they must have a
check(session_user) function, returning a boolean, such as in the following gist:
Implementation of privilege checks is incomplete. For now I intend to describe roles by their
fk_param (if applicable) and hash of the current session’s user, which needs to have an array with user’s roles.
I will update as I have more progress in implementing user permissions for this ORM.