Create access tokens with a set of permissions, then pass the token around and let consumers check the token for permissions when needed.
Install toucan
npm install toucan --save
A simple example
var Toucan = require('toucan');
var token = new Toucan();
token.permit('eat')
.deny('jump')
.lock();
// Elsewhere in your application
token.can('eat');
=> true
token.can('jump');
=> false
var Toucan = require('toucan');
var RoleToken = module.exports = function(role){
var token = new Toucan();
if(role == 'admin')
{
token.permit(['edit all users', 'edit files']);
}
if(role == 'admin' || role == 'user')
{
token.permit(['edit own profile', 'edit own files']);
}
token.permit('view public pages');
if(role == 'banned')
{
token.deny('view public pages');
}
return token.lock();
}
var token;
if(user)
{
token = RoleToken(user.role);
}else{
token = RoleToken('guest');
}
if(token.can('edit own profile'))
{
// ..... edit profile ......
}
if(token.cannot('view public pages'))
{
message.flash('You are banned');
}
By default, everything is denied unless explicitly permitted. You can enable allow-by-default by permitting '*'.
var Toucan = require('toucan');
var token = new Toucan();
token
.permit('*')
.deny('jump')
.lock()
// All permissions are allowed
token.can('do absolutely anything');
=> true
// Except this one, because it was explicitly denied
token.can('jump');
=> false