acl

acl.js

const permissionMap = [
  'canEditBilling',
  'canSeeEveryArticle',
  'editArticle',
  'readArticle',
  'canQuack'
];

roles = {
  admin: {
    canEditBilling: true,
    canSeeEveryArticle: true,
    editArticle: true,
    readArticle: true
  },
  member: {
    canSeeEveryArticle: true
  },
  viewer: {},
  collaborator: {
    /* canSeeEveryArticle: false */ // 👈 we can set it explicitly, but if it's not there it means false
  },
  copywriter: {
    editArticle: true,
    readArticle: true,
  },
  jessica: {
    canDoWhateverMichaelWantsHerToDo: true
  },
  duck: {
    canQuack: true,
    readArticle: false,
  }
};

const precedence = [
  'admin',
  'member',
  'viewer',
  'collaborator',
  'copywriter',
  'jessica',
  'duck',
];

const Norbi = {
  id: 1,
  roles: ['duck', 'admin'],
};

const Robi = {
  id: 2,
  roles: ['member'],
};

const Michael = {
  id: 3
};

const Article = {
  id: 1,
  title: 'The beauty of role management',
  members: [1, 2],
}

// const user = Robi;
// const user = Norbi;
const user = Michael;

const article = Article;

function hasPermission(permission, user) {
  // collect the final permission pack
  const permissions = precedence.reverse().reduce((acc, p) => {
    if (user.roles && user.roles.includes(p)) {
      return Object.assign(acc, roles[p]);
    }
    return acc;
  }, {});
  return Boolean(permissions[permission]);
}

const sample = 'canQuack';
console.log(sample, hasPermission(sample, user));

There are couple of great modules in npm which are covering attribute and role based acl, they could be used as inspiration:

• https://www.npmjs.com/package/accesscontrol
• https://www.npmjs.com/package/role-acl
• https://www.npmjs.com/package/griffin-acl (i love how this defines resource and actions)

https://github.com/seeden/rbac