Build a blog with Areto Node.js framework

Access control

Areto framework uses a RBAC (Role Based Access Control) system of access rights.

Signed user in

The following is an example of the RBAC concept to remove a article. First, create the deleteArticle permission that describes the protected functionality. Create the editor role that will be assigned to a user. Add the deleteArticle permission to the roles's children. To catch a user's attempt to remove an article, add check for the deleteArticle permission in the controller's action.

Add the rbac component in the application configuration. Its implementation is contained in the areto/rbac/Manager class.

config/default.js

...
  components: {
    ...
    rbac: {}
    ...
  }  
...

By default file storage is used to keep the access settings. Create the rbac/items file with a list of roles and permissions. A role may inherit a permission and other roles. A permission can not inherit any role.

The updateOwnArticle permission closed by the author rule. It protect the article from updates by anyone except the author. Add the updateArticle permission and assign it to the role of the blog editor to update any article.

Roles contain a typical hierarchy of the blog users:

  • reader - can view objects.
  • author - inherits the reader permissions and can edit their own articles.
  • editor - inherits the author permissions, and also can edit any article.
  • moderator - inherits the author permissions, and can also edit any comments.
  • admin - inherits the editor, moderator permissions.

rbac/items.js

'use strict';
module.exports = {
  'updateArticle': {
    type: 'permission'
  },
  'updateOwnArticle': {
    type: 'permission',
    children: ['updateArticle'],
    rule: 'author'
  },
  'reader': {
    type: 'role'
  },
  'author': {
    type: 'role',
    children: ['reader', 'updateOwnArticle']
  },
  'editor': {
    type: 'role',
    children: ['author', 'updateArticle']
  },
  'moderator': {
    type: 'role',
    children: ['author']
  },
  'admin': {
    type: 'role',
    children: ['editor', 'moderator']
  }        
};

The rbac/rules file contains rules for permissions (and roles). Rule locks a permission and opens only after access checks.

The author rule permits access only to the author of the object.

rbac/rules.js

'use strict';
module.exports = {
  author: {
    Class: require('areto/rbac/AuthorRule')
  }
};

The rbac/assignments file contains users with assigned roles. In this case, the file is empty, because the user role is stored in the role attribute of the user model. It is overridden in the getAssignments method of the models/User class.

rbac/assignments.js

'use strict';
module.exports = {
  // userId1: ['role1'], 
  // userId2: ['role1', 'role2']
};