support multiple roles in RBAC middleware

README.md

@@ -78,7 +78,7 @@ func main() {
 - `middleware.Auth` - requires authenticated user
 - `middleware.Admin` - requires authenticated admin user
 - `middleware.Trace` - doesn't require authenticated user, but adds user info to request
-- `middleware.RBAC` - requires authenticated user with passed role
+- `middleware.RBAC` - requires authenticated user with passed role(s)
 
 Also, there is a special middleware `middleware.UpdateUser` for population and modifying UserInfo in every request. See "Customization" for more details.
 

middleware/auth.go

@@ -191,7 +191,7 @@ func (a *Authenticator) basicAdminUser(r *http.Request) bool {
 
 // RBAC middleware allows role based control for routes
 // this handler internally wrapped with auth(true) to avoid situation if RBAC defined without prior Auth
-func (a *Authenticator) RBAC(role string) func(http.Handler) http.Handler {
+func (a *Authenticator) RBAC(roles ...string) func(http.Handler) http.Handler {
 
 	f := func(h http.Handler) http.Handler {
 		fn := func(w http.ResponseWriter, r *http.Request) {
@@ -201,7 +201,14 @@ func (a *Authenticator) RBAC(role string) func(http.Handler) http.Handler {
 				return
 			}
 
-			if !strings.EqualFold(role, user.Role) {
+			var matched bool
+			for _, role := range roles {
+				if strings.EqualFold(role, user.Role) {
+					matched = true
+					break
+				}
+			}
+			if !matched {
 				http.Error(w, "Access denied", http.StatusForbidden)
 				return
 			}

middleware/auth_test.go

@@ -383,7 +383,7 @@ func TestRBAC(t *testing.T) {
 		w.WriteHeader(201)
 	})
 
-	mux.Handle("/authForEmployees", a.RBAC("employee")(handler))
+	mux.Handle("/authForEmployees", a.RBAC("someone", "employee")(handler))
 	mux.Handle("/authForExternals", a.RBAC("external")(handler))
 	server := httptest.NewServer(mux)
 	defer server.Close()