安全审计>> meteor-jalik-roles>> 返回
项目作者: jalik

项目描述 :
A roles and permissions security layer for Meteor
高级语言: JavaScript
项目地址: git://github.com/jalik/meteor-jalik-roles.git
创建时间: 2015-06-30T09:19:00Z
项目社区:https://github.com/jalik/meteor-jalik-roles
开源协议:MIT License
下载


jalik:roles

This package adds a simple and flexible permissions system that allows you to control what users can do or cannot do in your Meteor apps.
The code is well tested with the mocha testing framework.

Donate

Installation

To install the package, execute this command in the root of your project :

  1. meteor add jalik:roles

If later you want to remove the package :

  1. meteor remove jalik:roles

Creating roles

You first need to define the roles of your app.
A role can be assigned to one or more users, but a user can only have one role.

Create the default roles when the app starts.
The roles collection is accessible via Meteor.roles which is a Mongo.Collection object.

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isServer) {
  5.     if (Meteor.roles.find({}).count() === 0) {
  6.         // Define administrator role
  7.         Meteor.roles.insert({
  8.             name: "Administrator",
  9.             permissions: ['administrate']
  10.         });
  11.         // Define member role
  12.         Meteor.roles.insert({
  13.             name: "Member",
  14.             permissions: ['vote', 'comment']
  15.         });
  16.     }
  17. }

Note that by default, all operations (insert, update, remove) on the roles collection are not allowed on the client.
If you want to interact with the collection, create your own Meteor.methods or set permissions with Meteor.roles.allow() or Meteor.roles.deny().

Adding permissions to a role

To add one or more permissions to a role, use Roles.addRolePerms(permission, roleId).

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isServer) {
  5.     let role = Meteor.roles.findOne({name: "Administrator"});
  6.     Roles.addRolePerms('administrate', role._id);
  7.     Roles.addRolePerms(['create', 'delete'], role._id);
  8. }

Removing permissions from a role

To remove one or more permissions from a role, use Roles.removeRolePerms(permission, roleId).

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isServer) {
  5.     let role = Meteor.roles.findOne({name: "Administrator"});
  6.     Roles.removeRolePerms('administrate', role._id);
  7.     Roles.removeRolePerms(['create', 'delete'], role._id);
  8. }

Getting permissions of a role

To get all permissions of a role, use Roles.getRolePerms(roleId).

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isServer) {
  5.     let role = Meteor.roles.findOne({name: "Administrator"});
  6.     let perms = Roles.getRolePerms(role._id);
  7.     console.log(perms);
  8. }

Assigning a role to a user

To assign a role, use the Roles.setUserRole(userId, roleId) method.
The role will be stored on the user object, in the roleId attribute.

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isServer) {
  5.     let user = Meteor.users.findOne({name: "karl"});
  6.     let role = Meteor.roles.findOne({name: "Administrator"});
  7.     // Set user's role
  8.     Roles.setUserRole(user._id, role._id);
  9. }

Removing a role from a user

To remove a role from a user, use the Roles.setUserRole(userId, null) method.

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isServer) {
  5.     let user = Meteor.users.findOne({name: "karl"});
  6.     // Remove user's role by setting null
  7.     Roles.setUserRole(user._id, null);
  8. }

Getting the role of a user

To get the role of a user, call the Roles.getUserRole(userId) or Roles.getUserRoleId(userId).
On the client, there you can use Meteor.role() or Meteor.roleId().

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isClient) {
  5.     // Get the current role ID
  6.     let roleId = Meteor.roleId();
  7.     // Get the current role object
  8.     let role = Meteor.role();
  9. }
  10. if (Meteor.isServer) {
  11.     let user = Meteor.users.findOne({name: "karl"});
  12.     // Get the role ID of this user
  13.     let roleId = Roles.getUserRoleId(user._id);
  14.     // Get the role of this user
  15.     let role = Roles.getUserRole(user._id);
  16. }

NOTE : on the client, you should make sure that roles are loaded via subscriptions.

Checking permissions

To check if a user has one or more permissions, use Roles.userCan(permission, userId).
You can do the same with a role using the Roles.roleCan(permission, userId).

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. if (Meteor.isClient) {
  5.     // do stuff if the current user can comment
  6.     if (Roles.userCan('comment')) {
  7.     }
  8.     // equivalent to above
  9.     if (Roles.userCan('comment', Meteor.userId())) {
  10.     }
  11.     // do stuff if the current user has all this permissions, not only one
  12.     if (Roles.userCan(['edit', 'delete'])) {
  13.     }
  14. }
  15. if (Meteor.isServer) {
  16.     let user = Meteor.users.findOne({name: "karl"});
  17.     let role = Meteor.roles.findOne({name: "Member"});
  19.     // userId is required on server
  20.     if (Roles.userCan('comment', user._id)) {
  21.     }
  22.     // do stuff if the user has all this permissions
  23.     if (Roles.userCan(['edit', 'delete'], user._id)) {
  24.     }
  25.     // do stuff if the role can comment
  26.     if (Roles.roleCan('comment', role._id)) {
  27.     }
  28. }

You can throw an error if the role or the user does not have the permissions.

  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. let user = Meteor.users.findOne({name: "karl"});
  5. let role = Meteor.roles.findOne({name: "Member"});
  7. // Throw a 'forbidden' error if the checks fail
  8. Roles.checkUserPerms('send_comment', user._id);
  9. Roles.checkRolePerms('comment', role._id);
  11. // If the user cannot edit, the code below won't be reached
  12. console.log('sending comment...');

Publishing roles

Do not forget to publish/subscribe to the roles collection to make them accessible on clients.
You can create your own publications or use the package’s default publications.

  1. import {Roles} from 'meteor/jalik:roles';
  3. // Creates the 'role' publication
  4. Roles.publishRole();
  5. // Creates the 'roles' publication
  6. Roles.publishRoles();
  7. // Creates the 'userRole' publication
  8. // This one is important if you want to auto-subscribe to the current user's role
  9. // It can be used in combination of the Roles.autoLoadUserRole() method
  10. Roles.publishUserRole();
  1. import {Meteor} from 'meteor/meteor';
  2. import {Roles} from 'meteor/jalik:roles';
  4. // Subscribe to the publication you need on the client
  5. Meteor.startup(function() {
  6.     // Load a single role
  7.     Meteor.subscribe('role', roleId);
  8.     // Load all roles with the "delete" permission
  9.     Meteor.subscribe('roles', {permissions: {$in: ['delete']}}, {sort: {name: 1}});
  10.     // Load the role of the current user (manually)
  11.     Meteor.subscribe('userRole');
  12.     // Automatically subscribe to the role of the current user
  13.     // re-subscribe if user change or if role change.
  14.     Roles.autoLoadUserRole();
  15. });

Adding template helpers

To add blaze template helpers, call the Roles.addBlazeHelpers() method, which will execute the code below :

  1. Template.registerHelper('userCan', function (permissions) {
  2.     return Roles.userCan(permissions);
  3. });

After what the following helper will be available in your templates.

  1. {{#if userCan 'comment'}}
  2.     {{> commentForm}}
  3. {{/if}}

Changelog

v0.2.2

  • Removes templating dependency to improve compatibility with non-blaze applications

v0.2.1

  • Fixes this scope in Roles.addBlazeHelpers()

v0.2.0

  • Uses ES6 module import and export syntax
  • Adds Roles.addBlazeHelpers() to manually add a userCan template helper
  • Adds Roles.addRolePerms(permission, roleId) to add permission to a role
  • Adds Roles.autoLoadUserRole() to load user’s role automatically on the client
  • Adds Roles.getRolePerms(roleId) to get the permissions of a role
  • Adds Roles.getUserRoleId(userId) to get the role ID of a user
  • Adds Roles.publishRole() on the server to publish a single role
  • Adds Roles.publishRoles() on the server to publish the roles collection
  • Adds Roles.publishUserRole() on the server to publish the current user’s role
  • Adds Roles.removeRolePerms(permission, roleId) to remove permission from a role
  • Adds Roles.roleExists(roleId) to check if a role exists
  • Adds Roles.setRolePerms(permissions, roleId) to replace permissions of a role
  • Adds unit tests to eliminate bugs
  • Removes automatic declaration of the userCan template helper
  • Modifies Roles.getUserRole(userId) to return the role object instead of the role ID

License

This project is released under the MIT License.