Action-based user permissions with access control lists


#1

Hi all,
Adrian Lanning mentioned in his dev shop presentation that access control should be implemented based on action, rather than job title:

However, the alanning:roles package seems oriented towards defining user roles, which typically take a ‘job title’ form (admin, staff, etc). How can we augment the roles package to create groups of action-based permissions (i.e. creating a group-based Access Control List):

  • admin
    • insert
    • update
    • delete
    • manage-secrets
  • user
    • insert
    • updateOwn
    • deleteOwn

What are some options and common patterns to combine user groups with access control verbs (e.g. ‘can’) in Meteor.js projects?

References

In searching for existing solutions, I have found the following resources to be inspiring.

Meteor roles/permissions

JavaScript / Node.js

other roles/permissions systems


#2

Authorization contexts

So far, there seem to be at least four common places where user authorization may be useful:

  • Database access (publications)
  • Server-side code (methods)
  • Routes
  • Template views/partials

Are there additional authorization contexts? What are commonalities between those previously mentioned authorization contexts?


#3

Just name them what you want. ‘create-post’, ‘edit-post’

From the readme

#What’s in a name…

Although the name of this package is ‘roles’, you can define your permissions however you like. You can have traditional roles like, “admin” or “webmaster”. But you can also assign more granular permissions such as, “view-secrets” or “manage-users”. Often times this is actually better because you are able to handle all those pesky edge cases that come up in real life usage without creating a ton of higher-level ‘roles’. To the roles package, its all strings.


#4

@benjick, thanks for your clarification. I still think roles (in the ‘job title’ sense, see below) are useful, as they allow bundles of permissions to be assigned simultaneously. E.g.

  • admin
    • insert
    • update
    • delete
  • user
    • insert
    • updateOwn
    • deleteOwn

How can we create groups of permissions, such as grouping by user role? The documentation on role groups in aldeed:roles is somewhat vague as to their purpose, so I am unsure whether they are useful for this purpose.


#5

I’m using https://atmospherejs.com/nicolaslopezj/roles, which allows to define actions. Works really well :blush:


#6

Thanks @fvg, good recommendation.

Also, there is now a Meteor Hackpad for user permissions.


#7

Sure :slight_smile: I’ve actually developed my own permission system on top of it. Unfortunately it’s really tightly coupled to my app but works great!
The basic idea here is that I have collections for dentists, patients etc. and I can create useraccounts for any of them. I can then allow
them to interact with other documents/ collections, by settings permissions. These include a reference to another module,
safety queries and allowed fields (I’m using my saveFind in publications) as well as checks for method calls.

__Client_And_Server__()

isOwnPatient = (dentist, data) ->
  data.dentistId is dentist._id

permission = ->
  module: App.CRM.Patients
  collections:
    patients:
      query: (dentist) ->
        { dentistId: dentist._id }
      fields: '*'
  methods:
    create: isOwnPatient
    update: isOwnPatient

share.Dentists.getCollection().permit permission