orbit:permissions
Authorization for Meteor Package Developers
www.MeteorSpark.com
Developed For:
www.TAPevents.com
The Orbit Project
An open source content management platform for MeteorA platform for web & mobile apps for non-developers
Orbit Users
- Developers of packages (plugins) for Orbit
- App Developers
- App Editors
Orbit Authorization Needs
- Permissions are defined and used in multiple packages
- Permissions of one package can be used by other packages
- Package and app developers should be able to set some predefined roles (collection of permissions), they assume will be in wide use
- Project editors can add more roles to the system with any set of Permissions
orbit:permissions Structure
orbit:permissions Permissions
- permissions:delegate-and-revoke: Delegate and revoke user roles
- permissions:get-users-roles: Query roles of other users
- permissions:edit-custom-roles: Define and undefine custom roles
orbit:permissions Package Roles
-
permissions:admin:
- Users with this role will have all the permissions of all the packages
-
permissions:permissions-manager:
- permissions:delegate-and-revoke
- permissions:get-users-roles
- permissions:edit-custom-roles
orbit:permissions API
Defining Permissions and Package Roles
Chat Package Example
// Common code on client and server
(new OrbitPermissions.Registrar("chat"))
.definePermission("remove-message")
.definePermission("edit-message")
.definePermission("appoint-manager")
.defineRole("chat-moderator", ["edit-message", "remove-message"]);
Defining Permissions and Package Roles
Package Role in the Application level
// Common code on client and server
// Registrar for the app is created when
// OrbitPermissions.Registrar() is called with no args
appplication_registrar = new OrbitPermissions.Registrar();
appplication_registrar
.definePermission("approve-accounts")
.defineRole("site-moderator",
["chat:edit-message",
"chat:remove-message",
"project:approve-accounts"]);
Custom Roles
Define and undefine a Custom Role
// On the client, the following requires the
// permissions:edit-custom-roles permission
OrbitPermissions.defineCustomRole("underprivileged-moderator",
["project:approve-accounts", "chat:remove-message"]);
OrbitPermissions.undefineCustomRole("underprivileged-moderator");
Delegate & Revoke Roles
Delegate & Revoke a role
// On the client, the following requires the
// permissions:delegate-and-revoke permission
OrbitPermissions.delegate(user,
["chat:chat-moderator", "project:site-moderator"]);
OrbitPermissions.revoke(user,
["chat:chat-moderator", "project:site-moderator"]);
Check for permission
Allow costom roles modifications only if user has the edit-custom-roles permission
// On the client, checking permissions of other users require the
// permissions:get-users-roles permission
CustomRoles.allow({
insert: function (userId, doc) {
return OrbitPermissions.userCan("edit-custom-roles",
"permissions", userId);
},
remove: function (userId, doc) {
return OrbitPermissions.userCan("edit-custom-roles",
"permissions", userId);
)
});
Template Helper
The "can" helper
{{#if can "remove-message" "chat"}}
{{/if}}
Admins Related Commands
Admins Related Commands
// On the client, requires the permissions:get-users-roles permission unless
// checked on logged user
OrbitPermissions.isAdmin(user)
// On the client, requires the permissions:delegate-and-revoke permission
OrbitPermissions.addAdmins(users)
// On the client, requires the permissions:delegate-and-revoke permission
OrbitPermissions.removeAdmins(users)