config your express routes to have role and attribute based access control.
This middleware helps to config express routes to check permission granted with accesscontol.
Install via npm
npm install accesscontrol-middleware --saveNow define roles and grants via accesscontol.
const ac = new AccessControl();
ac.grant('user') // define new or modify existing role. also takes an array.
.createOwn('profile') // equivalent to .createOwn('profile', ['*'])
.deleteOwn('profile')
.readAny('profile')
.grant('admin') // switch to another role without breaking the chain
.extend('user') // inherit role capabilities. also takes an array
.updateAny('profile')
.deleteAny('profile');Initialize AccessControlMiddleware
const AccessControlMiddleware = require('accesscontrol-middleware');
const accessControlMiddleware = new AccessControlMiddleware(ac);config any express route
route.put('/profile/:userId',
accessControlMiddleware.check({
resource : 'profile',
action : 'update',
checkOwnerShip : true, // optional if false or not provided will check any permission of action
operands : [
{ source : 'user', key : '_id' }, // means req.user._id (use to check ownership)
{ source : 'params', key : 'userId' } // means req.params.userId (use to check ownership)
]
}),
controller.updateProfile);npm test