Permissions matrix

[louisstow]

Give the developer fine grain control over who can do what with the REST apis. Base it on the in-built user accounts. Potentially add into the controller file?

Allow permission on any url, including pages. Needs to cover the following:

• A row value (e.g. give access if user.name == admin)
• Whole collection

[louisstow]

List of user roles in order of precedence. Access to one role will give access to every role above it.

1. admin - At least one admin account exists when sproute is first installed. Defined in config.json
2. owner - Will ensure _owner will match session.user._id
3. member - Must at least be logged in (session.user exists)
4. anyone - No rule
   • stranger - Must not be logged in