Help with design

[sinqinc]

Hi, I need some help in my project because i'm not sure if it's the way I should do it.

I have an API used by an APP to manage data.

The data is accessed that way :

/organization/ [GET- POST]
/organization/:id_org [GET - PUT - DELETE]
/organization/:id_org/ou [GET- POST]
/organization/:id_org/ou/:id_ou [GET - PUT - DELETE]
/organization/:id_org/ou/:id_ou/project [GET- POST]
/organization/:id_org/ou/:id_ou/project/:id_project [GET - PUT - DELETE]
/organization/:id_org/ou/:id_ou/project/:id_project/section [GET- POST]
/organization/:id_org/ou/:id_ou/project/:id_project/section/:id_section [GET - PUT - DELETE]
/organization/:id_org/ou/:id_ou/project/:id_project/section/:id_section/variable/ [GET- POST]
/organization/:id_org/ou/:id_ou/project/:id_project/section/:id_section/variable/:id_variable [GET - PUT - DELETE]
/organization/:id_org/ou/:id_ou/project/:id_project/section/:id_section/value/ [GET- POST]
/organization/:id_org/ou/:id_ou/project/:id_project/section/:id_section/value/:id_variable [GET - PUT - DELETE]

I need to have that roles : global admin, organization admin (for each org), project admin (for each project), project user ( for each project).

Global admin can access all Organization Admin can do anything in his Org (Create ou/project/section/variable/value) Project admin can do anything in his project (create section/variable/value) Project User can only edit data in that project (edit value in each section of a project)

Since i am using the mongo backend should I need to create a resource for each path or I can just create a resource like '/' for the global admin ? I tried but it doesn't work.

I started to create a role for each organization/ou/project like that :

"roles": "org_58829f092c8db0000ab91f5e_admin",
    "allows": [{ "resources": "/api/v1/organization/58829f092c8db0000ab91f5e", "permissions": ["GET","POST","PUT","DELETE"] }]

"roles": "org_58829f092c8db0000ab91f5e_ou_58829f092c8db0000ab91f4a_admin",
    "allows": [{ "resources": "/api/v1/organization/58829f092c8db0000ab91f5e/ou/58829f092c8db0000ab91f4a", "permissions": ["GET","POST","PUT","DELETE"] }]

But it will create A LOT of roles and resources for each role since I need to add each sub resources. It could be nice to only match the beginning of the resource to create a resource like '/' that give access to all sub resources.

For the user I created a role like that :

    "roles": "org_58829f092c8db0000ab91f5e_ou_58e7d95360b2ed001b8af1b1_project_591a7de55bd888000f30d45b_contrib",
    "allows": [
        { "resources": "/api/v1/organization/58829f092c8db0000ab91f5e/ou/58e7d95360b2ed001b8af1b1/project/591a7de55bd888000f30d45b/section/:param1/value", "permissions": ["GET","POST","PUT","DELETE"] },
            { "resources": "/api/v1/organization/58829f092c8db0000ab91f5e/ou/58e7d95360b2ed001b8af1b1/project/591a7de55bd888000f30d45b", "permissions": ["GET"] }
        ]

and created a middleware to replace a part of the URL by "param1" to be able to match any section!

if(numParamToChange) {
        var tmpR = resource.split('/');
        tmpR[numParamToChange] = ":param1";
        resource = tmpR.join('/');
    }

What should I do for each Admins ?

[cyrilchapon]

very +1.

I find the module is very great, and the API is very interesting and lean.

But I'm struggling at making something dynamic and working for such a use case :

"Role 1 can view thatkindofresource" => ok "Role 1 can view thatkindofresource in thatorganization" => ko "Role 1 can view thatkindofresource in thatorganization and in thatgroup" => ko

We, similary, have a hierarchical design with organization, domains, group. And kind of admins for each level of hierarchy.

[bora89]

Facing the same issue, how did you solve it?

[sinqinc]

@bora89 I'm using the design I described in my first post. I create an new ACL with all the resources and permissions on every part of a Hierarchy. I'm also using addRoleParents to nest each ACL. I don't know if the design break some "rules" but it work well for my project.