.post(validate(attendanceValidation.createAttendance),
// (req, res, next) => {
// req.user = { // eslint-disable-line no-param-reassign
// role: 'admin',
// _id: '5a65d0db9226782db8aa067e'
// };
// next();
// },
accesscontrol.accessControlMiddleware({
resource: 'attendance',
action: 'create',
checkOwnerShip: true, // optional if false or not provided will check any permission of action
operands: [
{ source: 'user', key: '_id' }, // means req.user._id (use to check ownership)
{ source: 'body', key: 'user' } // means req.params.userId (use to check ownership)
]
}),
attendanceController.sendAttendance);

The above written code when executed says --
_accesscontrol2.default.accessControlMiddleware is not a function.

i think there should be a provision to check the resource and action

I think there should be a provision to send an error message when the user dont have access to do something.

For now it just sets the status 403 which is for forbidden, but it does not sends any message, just sends blank response.

I think there should be some message sended to user when they dont have access for something to do, saying you dont have access to do this work.

For this line

        if (firstOperand === secondOperand) {

It will not compare values correctly if one is a string (like req.params.id) and one is a number(like req.user.id).

Any ideas on the best way to fix this without any unwanted side effects? Maybe include another option to convert the resource to?

Like expectedType: 'number' will call Number() on firstOperand ?

Currently ownership validation is done by checking these two properties:

checkOwnerShip : true, // optional if false or not provided will check any permission of action
    operands : [
      { source : 'user', key : '_id' },  // means req.user._id (use to check ownership)
      { source : 'params', key : 'userId' } // means req.params.userId (use to check ownership)
    ]

Where checkOwnerShip should be true and the operands should be equal to each other.

My problem is that in typical relational databases, the ownership id of an object is typically separate from the actual id of the object itself. For example if there were two models of User and Comment:

User : {
  id,
  username,
  email
}

and

Comment: {
  id,
  body,
  owner_id
}

The comment's owner is determined by the owner_id rather than its own id. This means that you would need to make a call to the database using params.id.

In the provided example for this library it uses params.userId as the passed in parameter but I think that, typically speaking, you would normally structure the routes in a way where you're passing the model's id itself as the parameter, rather than the model's ownership id.

I'm not sure if this should be considered an issue with this library itself, or maybe its just that I structured my routes in a way that isn't 100% compatible with this library. Solving this would require some database agnostic way of querying a row by the passed in parameter and comparing the resulting ownership id of that row to the user.id.

@pawangspandey Could you please add LICENSE file ?