Skip to content

Roles

roles are used within the system to limit certain pages/access to certain groups of people. You have have as many roles as you wish.

koad:io roles

Some default pre-used roles exist within the koad:io ecosystem and are pre-generated here

  1. owner

    • this is the only user who can adjust roles. (except for those with access to the runtime/shell)
    • used to override all things, this role gives you full access to all things in the system.
    • never give this role to anyone else, ever.
  2. self

    • used internally to help the entity-in-charge to identify itself.
  3. robotic

    • this is used to assign work, and maintain longer-lasting-login-tokens [LLLT].
    • use this only with trusted software you own, host and control; never give this to a human user.
  4. servant

    • a servant role is similar to robotic, except backwards:
    • the user get zero-access to ANY information until/unless it was explicitly written.

thats it.

create roles

create some new roles, choose your own theme.

make up whatever kind of roles you want, you can use them to let certain people access certain things.

chess like

Roles.createRole("queen", {unlessExists: true});
Roles.createRole("rook", {unlessExists: true});
Roles.createRole("knight", {unlessExists: true});
Roles.createRole("bishop", {unlessExists: true});
Roles.createRole("king", {unlessExists: true});
Roles.createRole("pawn", {unlessExists: true});

service like

Roles.createRole("frogman", {unlessExists: true});
Roles.createRole("yeoman", {unlessExists: true});
Roles.createRole("guest", {unlessExists: true});
Roles.createRole("admin", {unlessExists: true});
Roles.createRole("self", {unlessExists: true});
Roles.createRole("owner", {unlessExists: true});
Roles.createRole("super-admin", {unlessExists: true});
Roles.createRole("servant", {unlessExists: true});
Roles.createRole("coordinator", {unlessExists: true});
Roles.createRole("guest", {unlessExists: true});

set roles

set a human user's roles.

Roles.setUserRoles(Accounts.users.findOne({username: "mom"})._id, ['family', 'guest']);
Roles.setUserRoles(Accounts.users.findOne({username: "alice"})._id, ['servant']);
Roles.setUserRoles(Accounts.users.findOne({username: "koad"})._id, ['owner', 'admin', 'super-admin']);

set a robotic user's roles.

full access to self

Roles.setUserRoles(Accounts.users.findOne({username: "alice"})._id, ['self']);

full access to general things

Roles.setUserRoles(Accounts.users.findOne({username: "alice"})._id, ['robotic']);

limited, partial access to specific things

Roles.setUserRoles(Accounts.users.findOne({username: "astro"})._id, ['servant']);

groups

roles can be multi-dimensional too, a role inside a group.

Roles.addUsersToRoles(USER_ID, ROLE_NAME, ROLE_GROUP);
Roles.addUsersToRoles(Accounts.users.findOne({username: "mom"})._id, 'mother', 'family');

using it

publications

// server/publish.js
import { Roles } from 'meteor/alanning:roles'

// Give authorized users access to sensitive data by scope
Meteor.publish('secrets', function (scope) {
  check(scope, String);

  if (Roles.userIsInRole(this.userId, ['view-secrets','admin'], scope)) {
     return Meteor.secrets.find({scope: scope});
  } else {
     // user not authorized. do not publish secrets
     this.stop();
     return;
  };

});

methods

// server/userMethods.js
import { Roles } from 'meteor/alanning:roles'

Meteor.methods({
    /**
    * Revokes roles for a user in a specific scope.
    * 
    * @method revokeUser
    * @param {String} targetUserId ID of user to revoke roles for.
    * @param {String} scope Company to update roles for.
    */
    revokeUser: function (targetUserId, scope) {
        check(targetUserId, String);
        check(scope, String);

        var loggedInUser = Meteor.user();
        if (!loggedInUser ||
            !Roles.userIsInRole(loggedInUser, ['manage-users', 'support-staff'], scope)) {
            throw new Meteor.Error('access-denied', "Access denied");
        }

        // remove roles for target scope
        Roles.setUserRoles(targetUserId, [], scope)
    }
})

templates

check for global roles

<template name="header">
  ... regular header stuff
  {{#if isInRole 'admin'}}
    {{> admin_nav}}  
  {{/if}}
  {{#if isInRole 'admin,editor'}}
    {{> editor_stuff}}
  {{/if}}
</template>

check for roles, using scopes

<template name="header">
  ... regular header stuff
  {{#if isInRole 'admin,editor' 'group1'}}
    {{> editor_stuff}}  
  {{/if}}
</template>

reference