Expressjs路由：基于角色的路由

Question

I have a small dilema to resolve this.

I have a user and an admin role.

userRoles: ['user', 'admin']

Users should be able to list all users except admins. Admins can list all users.

The first solution i have in mind is to check roles at the controller level:

if (req.user.role == 'admin'){list all users}
else{list all except admins}

but what i'd like to do is more on a route level, to keep the controllers cleaner, but somehow it doest work. It lists the users only even if im logged as an admin.

router.get('/', auth.hasRole('user'), controller.index);
router.get('/', auth.hasRole('admin'), controller.getUsers);


function hasRole(roleRequired) {
 if (!roleRequired) throw new Error('Required role needs to be set');

  return compose()
    .use(isAuthenticated())
    .use(function meetsRequirements(req, res, next) {
      if (config.userRoles.indexOf(req.user.role) >= config.userRoles.indexOf(roleRequired)) {
        next();
      }
      else {
        res.status(403).send('Forbidden');
      }
    });
}

any suggestions? Thanks !

Answer 1

So, I'm not sure this is your problem, but one thing to remember is that JS doesn't guarantee the indexing of an array (per the ecmascript spec), so your >= test is not reliable.

Better to use a bitmask like I did in AuthZ , where you assign rights or roles as fixed binary numbers that you can then filter against:

// lib/rights.js
module.exports = {
  READ : 1 << 0, // 001
  WRITE : 1 << 1, // 010
  DELETE : 1 << 2 //100
};

// lib/roles.js
var rights = require('./rights');
    module.exports = {
      ADMIN : rights.READ ^ rights.WRITE ^ rights.DELETE,
      MEMBER : rights.READ ^ rights.WRITE,
      GUEST : rights.READ
    };

Then you can check pretty easily:

if (user.role & resource.rightsRequired) { /* you're in! */ }