Grant Access to Resource Owner Only

OptimalBits / node_acl

Access control lists for node applications

2.62k stars 369 forks source link

Grant Access to Resource Owner Only #246

Open alaboudi opened 7 years ago

alaboudi commented 7 years ago

Hi,

Is there another way of only allowing resource owners to access a certain resource? The documentation slightly touches on this by saying

Sometimes it may even be useful to create one role per user, to get the finest granularity possible

but this clutter my database and make a collection for every user? Is there no other way of achieving this?

neuronetio commented 7 years ago

I'm using something like this:

resources:['someResource'],
permissions:['owner-view','other-view','owner-update','other-update']

and in controllers before checking permissions I'm checking who wants to 'view' or 'update' something by session.userId and then get result from db and check who is owner of the record, if session.userId==dbRecord.userId then I'm checking 'owner-view' permissions for this user or else 'other-view' (if admin want to view record or other user)

he313572052 commented 6 years ago

app.put('/blogs/:id', acl.middleware(), function(req, res, next){…} Is the app in the express getting the object?

sebastien-savalle commented 5 years ago

Is there any other way to allow access to resource owner ?