Skip to content
This repository has been archived by the owner on Mar 9, 2018. It is now read-only.

Admin & Admin Group Permissions

Reza Akhavan edited this page Oct 20, 2016 · 3 revisions

The goal of this page is to explain how the Admin and AdminGroup permission features work.

Group Memberships

Admins can be members of zero or many Admin Groups. You can change an Admin's group memberships via the /api/admins/:id/permissions endpoint.

Checking for Group Membership

The instance method Admin#isMemberOf(groupId) is available to you during request logic. You can use this to check if an Admin is a member of a group like so:

var credentials = request.auth.credentials;
if (credentials.roles.admin.isMemberOf('root')) {
    // yes, is a member of the 'Root' group
}

Permissions

Both the Admin and the AdminGroup schemas have a field called permissions. These fields are just simple objects where the keys are the permission slug and a true/false values representing if that permission is granted.

Checking for Permission

The instance method Admin#hasPermissionTo(something, callback) is available to you during request logic. You can use this to check if a member is permitted to do something by permission name.

We first check if any of the Admin's group memberships permit this and then we check if that Admin has a specific rule set for the permission. This allows us to define granular permissions at the Admin level that override the group's permissions (either true or false).

const credentials = request.auth.credentials;

credentials.roles.admin.hasPermissionTo('DELETE_NOTES', (err, allowed) => {

    if (err) {
        // hydrating failed
    }

    if (allowed) {
        // yes, you may delete notes
    }
    else {
        // no, you may not delete notes
    }
});

Example: Let's say we have an Admin Group called Support and we let everyone in that group delete notes. If we have an Admin that we want to be in that group, but we don't want them to delete notes, all we need to do is define the 'DELETE_NOTES' permission for them and set it to false. Or we can grant permission to specific Admins without needing to add them to an entire group.

Related Reading

You should also familiarize yourself with the concepts of Users, Roles & Groups.

That's it

We hope this was helpful. If you have questions or think this page should be expanded please contribute by opening an issue or updating this page.