Roles
roles are used within the system to limit certain pages/access to certain groups of people. You have have as many roles as you wish.
koad:io roles
Some default pre-used roles exist within the koad:io ecosystem and are pre-generated here
-
owner
- this is the only user who can adjust roles. (except for those with access to the runtime/shell)
- used to override all things, this role gives you full access to all things in the system.
- never give this role to anyone else, ever.
-
self
- used internally to help the
entity-in-charge
to identify itself.
- used internally to help the
-
robotic
- this is used to assign work, and maintain longer-lasting-login-tokens [LLLT].
- use this only with trusted software you own, host and control; never give this to a human user.
-
servant
- a servant role is similar to robotic, except backwards:
- the user get zero-access to ANY information until/unless it was explicitly written.
thats it.
create roles
create some new roles, choose your own theme.
make up whatever kind of roles you want, you can use them to let certain people access certain things.
chess like
Roles.createRole("queen", {unlessExists: true});
Roles.createRole("rook", {unlessExists: true});
Roles.createRole("knight", {unlessExists: true});
Roles.createRole("bishop", {unlessExists: true});
Roles.createRole("king", {unlessExists: true});
Roles.createRole("pawn", {unlessExists: true});
service like
Roles.createRole("frogman", {unlessExists: true});
Roles.createRole("yeoman", {unlessExists: true});
Roles.createRole("guest", {unlessExists: true});
Roles.createRole("admin", {unlessExists: true});
Roles.createRole("self", {unlessExists: true});
Roles.createRole("owner", {unlessExists: true});
Roles.createRole("super-admin", {unlessExists: true});
Roles.createRole("servant", {unlessExists: true});
Roles.createRole("coordinator", {unlessExists: true});
Roles.createRole("guest", {unlessExists: true});
set roles
set a human user's roles.
Roles.setUserRoles(Accounts.users.findOne({username: "mom"})._id, ['family', 'guest']);
Roles.setUserRoles(Accounts.users.findOne({username: "alice"})._id, ['servant']);
Roles.setUserRoles(Accounts.users.findOne({username: "koad"})._id, ['owner', 'admin', 'super-admin']);
set a robotic user's roles.
full access to self
full access to general things
limited, partial access to specific things
groups
roles can be multi-dimensional too, a role inside a group.
Roles.addUsersToRoles(USER_ID, ROLE_NAME, ROLE_GROUP);
Roles.addUsersToRoles(Accounts.users.findOne({username: "mom"})._id, 'mother', 'family');
using it
publications
// server/publish.js
import { Roles } from 'meteor/alanning:roles'
// Give authorized users access to sensitive data by scope
Meteor.publish('secrets', function (scope) {
check(scope, String);
if (Roles.userIsInRole(this.userId, ['view-secrets','admin'], scope)) {
return Meteor.secrets.find({scope: scope});
} else {
// user not authorized. do not publish secrets
this.stop();
return;
};
});
methods
// server/userMethods.js
import { Roles } from 'meteor/alanning:roles'
Meteor.methods({
/**
* Revokes roles for a user in a specific scope.
*
* @method revokeUser
* @param {String} targetUserId ID of user to revoke roles for.
* @param {String} scope Company to update roles for.
*/
revokeUser: function (targetUserId, scope) {
check(targetUserId, String);
check(scope, String);
var loggedInUser = Meteor.user();
if (!loggedInUser ||
!Roles.userIsInRole(loggedInUser, ['manage-users', 'support-staff'], scope)) {
throw new Meteor.Error('access-denied', "Access denied");
}
// remove roles for target scope
Roles.setUserRoles(targetUserId, [], scope)
}
})
templates
check for global roles
<template name="header">
... regular header stuff
{{#if isInRole 'admin'}}
{{> admin_nav}}
{{/if}}
{{#if isInRole 'admin,editor'}}
{{> editor_stuff}}
{{/if}}
</template>
check for roles, using scopes
<template name="header">
... regular header stuff
{{#if isInRole 'admin,editor' 'group1'}}
{{> editor_stuff}}
{{/if}}
</template>