Build a blog with Areto Node.js framework

Module access

The areto/filters/AccessControl filter is used in the Admin class objects to protect the admin module from unauthorized access. This filter based on rules defined in the rules parameter. Each rule element initializes the areto/filters/AccessRule class object.

This allow property defines the type of rules allowing (true) or forbidding (false). The roles property contains an array of roles that use this rule. In addition to roles in the rbac/items file, there are two built-in roles:

  • ? - an anonymous (guest) user.
  • @ - a logged-on user.


const Base = require('areto/base/Module');
module.exports = class Admin extends Base {
  static getConstants ()  {
    return {
      BEHAVIORS: {
        access: {
          Class: require('areto/filters/AccessControl'),
          rules: [{
            allow: true,
            roles: ['reader']
module.exports = new (module.exports.init(module));

If a user is anonymous, the filter will redirect him to the login form. If a user is logged and does not have access, then the "403 Access Denied" message is displayed.