Roles only for authentication.

[prashid]

I was studying your app for learning. I was trying to remove accessLevel and keep role based authentication. But app is not displaying proper menu items for logged in user. I was wondering if you could help.

Is there any use of binary numbers in the app? any specific changes to make only roles work and remove access level which is confusing. I did most of the changes and app working fine but menu is no working properly?

exports.userRoles = {
    public: 1, // 001
    user:   2, // 010
    admin:  4  // 100
};

exports.accessLevels = {
    public: 7, // 111
    anon:   1, // 001
    user:   6, // 110
    admin:  4  // 100
};

[fnakstad]

Hi prashid! If you want to eliminate access levels you could do a bitwise OR to combine all the user roles you want to allow to calculate the access level on the fly. So your routes which have access level user (= 110) could be declared as userRoles.user | userRoles.admin (010 | 100 = 110) instead. It's really a matter of taste, but I prefer declaring access levels up front.

PS! I just pushed a commit 41037bf5b566c66fc65ecde1992cf94a6d5268da wherein I make the declaration of access levels much more readable. So now I declare my access levels like so:

exports.accessLevels = {
    public: userRoles.public | userRoles.user | userRoles.admin,
    anon:   userRoles.public,
    user:   userRoles.user | userRoles.admin,
    admin:  userRoles.admin
};

Hopefully that makes it easier to work with?

[prashid]

Thanks alot for you help. I will look into it and get back to you if anything related to it. Thanks again.

[fnakstad]

Alright, I'll go ahead and close this issue, but feel free to reopen it if you encounter any related problems.

[prashid]

Hi, I have 2 questions.

What this code do? public: userRoles.public | userRoles.user | userRoles.admin,

| is OR sign?

When this path is triggered

// User resource { path: '/users', httpMethod: 'GET', middleware: [ensureAuthenticated, ensureAuthorized, UserCtrl.index], accessLevel: accessLevels.admin },

Thanks

[prashid]

One more question with the above questions.

If I want to use CSRF in you app than need to create another cookie for that like below to make it work?

res.cookie('XSRF-TOKEN', req.session._csrf);

[fnakstad]

| in Javascript does a Binary OR of the specified operands, so public: userRoles.public | userRoles.user | userRoles.admin computes an access level based on the user roles I've specified earlier. Basically, I'm just listing up all the user roles I want to be authorized for the given access level.

As for your second question, yes, you will have to set the CSRF cookie separately. If you're using Node.js/express, you can do this using the express.csrf() middleware.

[prashid]

Thanks for the reply.

And when this path is triggered. I don't see anything related to /users. Is it specific to passport?

// User resource { path: '/users', httpMethod: 'GET', middleware: [ensureAuthenticated, ensureAuthorized, UserCtrl.index], accessLevel: accessLevels.admin },

[fnakstad]

Ah, I forgot to respond to that. That route is just to serve up a JSON feed listing the registered users. In the example app it's called via an AJAX request on the "admin" page. You can access this route directly in your browser by visiting http://your-url-here/users.

By the way, I just merged a pull request from @derekbarnhart, in which he makes it a lot easier to work with user roles and access levels. So if you check out routingConfig.js you will see that you don't have to bother with bit masks anymore, but can just declare your roles and access levels using strings instead. Hopefully that will make it a little easier to work with :)

[prashid]

Thanks. Got the new changes. Will be in touch.