Not MVC resources ?

[ghost]

Hi, Is it possible to use this module with resources wich are not MVC ? I want to protect instance objects rather than routes.

I want to do something like this into my controller (i'm using routing-controllers):

@Get("/myaction/candidat_id/:candidat_id")
    test((@Param("candidat_id") candidat_id: number, @Req() request: Request, @Res() response: Response)   
    { 
        ...
 if (acl.isAllowed(myUserId, myArticleId, 'show') {
// display article
}    
}

[ghost]

Can anyone help me please?

[ghost]

No idea about this question?

[john-osullivan]

Your question is kind of unclear, as Model View Controller doesn't really apply in this ACL context. I'm not using the middleware, so no ideas on how it would work there, but you can just make one resource for every article.

It looks like the pattern for max granularity is to:

• give every object (i.e. a document in a MongoDB collection) its own resource (i.e. article-<id>)
• give every user their own role (i.e. user-<id>)
• create roles corresponding to each perm level for each resource (i.e. article-<id>/show, article-<id>/edit, etc.), such that role article-id/<show> has permission show on article-<id> while article-id/<edit> could have permissions show and read on article-<id>. That way you can get hierarchical permission levels with fewer operations when granting permission to a user.
• grant a user permission on a resource by making their personal role a child of the given resource permission role (i.e. user-<id> becomes a child of article-<id>/show)

Not sure how it scales, but that provides the most granularity across the application. Note that I'm not a contributor to this library, just a developer in the process of implementing the pattern as described. Would love to hear from @manast about any issues he'd foresee as this pattern scales!