search

onury / accesscontrol

Role and Attribute based Access Control for Node.js
https://onury.io/accesscontrol
MIT License
2.21k stars 178 forks source link

Cross inheritance #18

Closed jyotman closed 7 years ago

jyotman commented 7 years ago

Should cross inheritance be allowed?

For example I have 2 roles - user and admin.

Now if I write - 

ac.grant('admin').extend('user')
ac.grant('user').extend('admin')

Then from this moment onward, both the roles have become exactly similar. All the permissions given to admin role would apply to user role and vice-versa. Then what's the point of having 2 different roles?

Forgive if I'm missing something. And thanks for this really useful module.

onury commented 7 years ago

Although, there's no point doing that; it's still valid (currently).

But I see your concern. This might even lead to security issues on the host application, if not used with caution. Besides, I can't think of any true, valid use of cross-inheritance.

I'll consider this in the next version (will be released in a couple of days). Thanks.

onury commented 7 years ago

Cross-role inheritance is no more allowed in v2.0.0+