search

ForbesLindesay / connect-roles

Provides dynamic roles based authorisation for node.js connect and express servers.
749 stars 62 forks source link

Made res available in user.use(req, res) #35

Closed ariutta closed 9 years ago

ariutta commented 10 years ago

Hello,

This is an update to make res available in user.use(req, res). My use case creates a res.jsonAuthorized method that filters the response, using a JSON Schema, before calling res.json:

var filter = require('json-schema-filter');
var fs = require('fs');
var highland = require('highland');
var moderatorAuthorizationSchema = require('./authorization-schemas/moderator.json');

user.use('access private page', function (req, res) {
  if (req.user.role === 'moderator') {
    var moderatorFilter = highland.curry(filter, moderatorAuthorizationSchema);
    res.jsonAuthorized = highland.compose(res.json, moderatorFilter);
    return true;
  }
});
ariutta commented 10 years ago

Actually, this change is major, because it changes the API for roles.use. All I need is for res to be available inside user.use. Is there any way to do that without changing the API?

ForbesLindesay commented 9 years ago

Why is this needed? This is a deliberately high level, opinionated library that aims to force you to structure your authorisation rules in a sensible way. Allowing authorisation rules to modify / interact with the response object seems to run counter to that?

ariutta commented 9 years ago

The idea comes from strong parameters in Rails. strong parameters allows for nested, conditional authorization for updates. This does the same for reads.

ForbesLindesay commented 9 years ago

I'm sorry, I'm not familiar with "strong parameters". Could you summarise how these nested, conditional authorizations work, and why they require the res to be accessible?

ariutta commented 9 years ago

If you're familiar with .NET, check out ServiceStack's request and Response filters.

Otherwise, these StackOverflow questions address the same general issue:'