Repository files navigation

This loopback component add a new dynamic user role which mapping the operators of model to the role.The role name should be '[modelName]' + '.' + '[operator]'. The role should be mapped into the ACL too.And the role can be nested like this:

Role1:User.addRole2:  Role1Role3:  Role2

The Role3 should has theUser.add role too.

The role could have multi containers of permission(aother role) or permissions.

The Permission is the model with operation. You can use the* to match the any model or any operation.eg,'*.add', 'User.*'.

Add the.owned dynamical roles toedit,view,find, anddelete roles as postfix.For only edit/delete/view/find owned items.

Note:

• The same role could be exists in multi-roles.
• Disable batch update roles.
• The nested max level of role to limit. see config:maxLevel

1. Install in you loopback project:

npm install --save loopback-component-role-user

2. Create a component-config.json file in your server folder (if you don't already have one)

3. Configure options insidecomponent-config.json:

{"loopback-component-role-user": {"enabled":true,"cached":0,"role":"$user","userModel":"User","roleIdFieldName":"name","rolesFieldName":"roles","permsFieldName":"_perms","roleRefsFieldName":"_roleRefs","models": [],"operations":[]  }}

• enabled[Boolean]: whether enable this component.defaults: true
• cached:[Integer]: whether cache the perms.defaults: 1
  • 0 'none': no cache. you can write the custom _getPerms class method on the Role model to your cache.
  • 1 'updated': the cached perms updated when the role updated(default)
  • 2 'manual': if the _perms is not empty use the cached _perms else calc perms and update the _perms.
    • NOTE: you should update the_perms field by yourself. just empty it for updated.
• deleteUsedRole[Boolean]: whether allow to cascade delete used roles.defaults: false
  • only for updatedcached: 1.
• maxLevel[Integer]: the max nested role level to limit.defaults: 10
• role[String] : the role name.defaults: $user
• roleModel[string]: The role model to inject.defaults: Role
  • TherolesFieldName andpermsFieldName fields will be added to the Model.
  • ThehasPerm method will be added to the Model.
  • TheaddRoles andremoveRoles methods will be added if therolesFieldName is 'roles'.
    • TheRole.addRoles andRole.removeRoles permissions are added too.
• userModel[string]: The user model to inject.defaults: User
  • TherolesFieldName andpermsFieldName fields will be added to the User Model.
  • ThehasPerm method will be added to the User Model.
  • TheaddRoles andremoveRoles methods will be added if therolesFieldName is 'roles'.
    • TheUser.addRoles andUser.removeRoles permissions are added too.
• rolesFieldName[string]: The roles field to define.defaults: roles
  • The model(role) can have zero or more roles/permissions.
• permsFieldName[string]: The cached perms of this role.defaults: _perms
  • Cache all the permissions to the roles(Readonly).
• ownerFieldName[string]: The owner id field to define.defaults: creatorId
• roleRefsFieldName[string]: The cached items which reference this role(Readonly).defaults: _roleRefs
• models[Boolean|Array of string].defaults: true
  • enable the user role to the models.true means all models in the app.models.
• operations[Object]: the mapping operations of model to the role name.

  • thekey is the operation(method), thevalue is the role name.

  • Note: the operations name is the role name if no mapping operations.

  • defaults:

    {create:'add',upsert:'edit',updateAttributes:'edit',exists:'view',findById:'view',find:'find',findOne:'find',count:'find',destroyById:'delete',deleteById:'delete'}

Just enable it oncomponent-config.json.

setDEBUG=loopback:security:role:user env vaiable to show debug info.

Model::hasPerm(perm)

• add thecached to determine whether cache the perms.

• add the.owned dynamical roles toedit.owned,view.owned,find.owned, anddelete.owned.Only edit/delete/view/find owned items.

• remove the limits: The same permission CAN NOT be exists in multi-roles.
• [bug] the hasPerm should use the match function instead minimatch
• [bug] updatePermsByRefs can not work properly.
• [bug] mongodb error: key can not contain "." for _perms is object
• [bug] can not change itself to roleRefs after roles changed

• add themaxLevel option to limit the max nested role level to avoid recusive

• avoid exception when component not enabled.

• add thedeleteUsedRole option to allow or forbidden cascade delete

• remove the deprecatedadminRole option. you can define the admin Role with*.* principal.

• rename the operators option to operations
• Customize the Role and User Model.

• removehasRole Method.

• add theRoles mxin.
  • Define theroles andperms fields.
    • roles: the
  • Add thehasPerm,addRoles andremoveRoles methods.
• add thehasPerm,addRoles andremoveRoles methods to Role and User Model.

• Performance optimization.
  • cache permissions and references.

• add theRole::hasRole