Roles -> Permissions

[sclausen]

Hi, this isn't a real issue, its more an idea. Wouldn't it be awesome, if you could attach permissions to roles and check them on server/client like Roles.isPermitted(loggedInUser, "admin:users:write"); instead of Roles.userIsInRole(loggedInUser, ['user-manager']). I would suggest a permission system like Apache Shiro.
This way, you could manage what e.g. the admin-user or user-manager can do apart of the role.

Therefore you can change the meaning of being in a role and don't have to change every users roles if features of your app change in future.

[alanning]

Hi @sclausen,

Thanks for the suggestion. I think you can do this with the authorization package on atmosphere: https://atmospherejs.com/package/authorization

It is a fork by another user of roles so you should be able to get up and going quickly.

I'll try to get in touch with the author and see if there's interest in remerging back into roles.

[Vadorequest]

I just run into Meteor and I'm wondering what should I choose between your package or the authorization package, they look the same, authorization beeing based on yours. But it hasn't been updated for 3 months and I don't really see what the differences are!

How is your package better than authorization?
Thanks!

[alanning]

Both packages let you assign permissions to users.

The authorization package is based off an earlier version of this package and adds the ability to "nest" permissions in a hierarchy. Not sure if it can handle trees of an arbitrary depth or just two levels. So you could have an "admin" permission and nest permissions under it like "manage-users", "view-secrets", etc. then assign the "admin" permission to a user and they auto-get the others. At least that's my understanding.

If that sounds useful for your use case and you don't need the more recent updates to this package (see commit history since fork) then go for authorization.

If you need the latest roles features, you can accomplish something similar with its flat hierarchy by checking for multiple roles:

Roles.isUserInRole(userId, ['admin', 'manage-users'])

But you'll have to update those checks if you want to change the default of what 'admin' means so it's not quite as convenient.

A word of caution, I've found that using a permission hierarchy sounds nice in the beginning but it tends to break down in real life. There's always exceptions and it causes confusion if users are managing any of that themselves. If it's more of an internal use only thing then you should be fine.

On Jul 20, 2014, at 8:44 AM, Vadorequest notifications@github.com wrote:

I just run into Meteor and I'm wondering what should I choose between your package or the authorization package, they look the same, authorization beeing based on yours. But it hasn't been updated for 3 months and I don't really see what the differences are!

How is your package better than authorization?
Thanks!

—
Reply to this email directly or view it on GitHub.

[Vadorequest]

Okay, thanks for the answer, I mostly wanted to know the differences between both, I prefer use something maintained anyway. I don't need nested permissions neither.

[Siyfion]

I would also agree that some form of hierarchical roles/permissions would be a great feature to have.