search

onury / accesscontrol

Role and Attribute based Access Control for Node.js
https://onury.io/accesscontrol
MIT License
2.21k stars 178 forks source link

Permission for everything apart from self #66

Open tomislav12 opened 5 years ago

tomislav12 commented 5 years ago

Is there an option to set-up accesscontrol that some group of users, lets say Moderators, can only create resource for everybody else, but not for themselves? Currently I did it like this: { role: 'moderator', resource: 'thing', action: 'create:any', attributes: 'createAnyButNotOwn' }, and then when checking for own:

let permission = null;
if (owned) {
 permission = ac.can( user.role ... etc );
 if (permission.attributes.indexOf('createAnyButNotOwn') > -1) {
            permission = false;
          }
}

Is there a better way? Thanks

iolivia commented 5 years ago

@onury is this supported currently by the library? looks like this is a nice workaround though 😄