RocReadaR : User Permissions

Located in rocreadar_server in the models folder, is our permissions file. This contains permissions for who can create what other users, and what pages each role can access. It is a json file containing two main sections, "roles" and "pages", for their respective uses.

User Creation

By loading the "roles" section of the permission file, it maps a role to who they are allowed to create:

Excerpt

"Editor": ["Publisher", "Advertiser"]

This makes it simple to check if someone of the role can create someone of another role:

Example

var permissions = JSON.parse(fs.readFileSync('common/models/permissions.json', 'utf8'));
var permission = permissions.roles[userRole.name]; //permission then becomes the list ["Publisher", "Advertiser"] if the userRole was that of "Editor"
 
if (permission.indexOf("Advertiser") >= 0) {
	// proceed
} else {
	var err = new Error("Unauthorized Access");
	err.status = 401;
	cb(err, null);
}

Page Viewing

By loading the "pages" section of the permission file, it maps a role to the pages they are allowed to view. When new pages are added, their routes need to be added to the permission file so that they can be viewed by the appropriate users.

Excerpt

"Administrator" :
            [
                "/",
                "/login",
                "/logout",
                "/users"
            ],

In app.js whenever there is a start to a route change, we intercept and check if the path is allowed for the user, and reset back to where they were if it is not:

app.js

function(data) {                                                     
          if (data) {                                                      
              SystemUser.getPermission({path:next.$$route.originalPath})
              .$promise                                                    
              .then(                                                       
                  function(success) {                                      
                      // Success, just let the user go                     
                  },                                                       
                  function(err) {                                          
                      $location.path(current.$$route.originalPath);        
                  }                                                        
                  );                                                       
          }                                                                
      }

system-user.js

SystemUser.getPermission = function(path, cb) {                                
        // Load the permissions file                                               
        // Contains permissions for page viewing and role based user creation   
        var permissions = JSON.parse(fs.readFileSync('common/models/permissions.json', 'utf8'));
        permissions = permissions.pages;                                           
        findRole().then(                                                           
                function(userRole) {                                               
                    var permission = permissions[userRole.name];                   
                    if (permission.indexOf(path)  < 0) {                           
                        // User does not have permission to view page, send 401 
                        var err = new Error("Authorization Required");             
                        err.status = 401;                                          
                        cb(err, null);                                             
                    } else {                                                       
                        cb(null, "200");                                           
                    }                                                              
                }                                                                  
                );                                                                 
};