scttnlsn / mongoose-acl Goto Github PK

Trying to decide if there's any merit to creating an explicit revokeAccess method?

Obviously, setAccess with empty (or no) perms could be called, effectively revoking access. However, it might be even better to go a step further and actually delete the key(s) instead of assigning an empty array?

For object, something like this:

    schema.methods.revokeAccess = function(key) {
        if (this[options.path]) {
            delete this[options.path][key];
            this.markModified(options.path);
        }
    };

On the subject side, it probably makes sense to have separate revokeAccess and revokeAllAccess methods - the former for just the main key, and the latter including additional and public keys.

Thoughts? I'd be happy to submit a PR with tests if you agree.

I'm finding mongoose-acl a very useful shortcut to what I'm trying to do, but I facing a couple of limitations with nested schemas, each with it's own permission.

Notably, the changes that needs to be made are to the toJSON to hide the _acl (see here) which is only called on the parent

And also, a way to query multiple access permissions when dealing with embedded documents (for example, find the parent documents according to permissions, and also filter children according to permissions)

Looking forward to hearing your thoughts about this

I've followed the documentation and set it up just like it was written. But I can't seem to get it to work.

Is there anything that needs to be done thats not in the documentation? Like adding something to the schema?

Here I set the ACL for an album.
var name = req.body.name; var album = new Album(req.body); album.save(); User.findById(req.user, function(err, user) { user.setAccess(album, ['read', 'write', 'delete']); });

And then loading in all albums that the user has access to:

User.findById(req.user, function(err, user) { Album.withAccess(user, ['read']).exec(function(err, albums) { res.send(albums); }); });

But it returns nothing, and there are no errors.

Do you know of a good article or tutorial explaining the methods used by your module?

I'm trying to figure out if I can use mongoose-acl for giving access to perform admin actions on a page (everyone else would just get read-only view of page).

For example a profile page would be readable by anyone, but only the user who owns the profile can make changes.