AND/OR for roles in Loopback's ACLS

Question

I have an application where users can have several of different type of roles

Static Roles: each determines a different level of permissions, a user is mapped to one of these roles

• adminUser
• powerUser
• baseUser

Dynamic Role:

• accountMember: this role is assigned if the resource the user is trying to access belongs to the same account.

Now, let's say I have two endpoints:

• /addUsers : in order to access this endpoint, a user needs to have the adminUser role as well as the accountMember role adminUser && accountMember
• /editUsers : in order to access this endpoint, a user needs to have the adminUser or powerUser role, as well as the accountMember role. e.g. (powerUser || adminUser) && accountMember

Assuming the roles are applied properly, how would I implement the AND/OR logic using loopback's ACLS array?

Answer 1

Here is the flow I came up with for (powerUser || adminUser) && accountMember

[DENY *$everyone* for all methods]

[ALLOW *accountMember* on */editUsers*]

[DENY *baseUser* on */editUsers*]

and for adminUser && accountMember

[DENY *$everyone* for all methods]

[ALLOW *accountMember* on */editUsers*]

[DENY *baseUser* on */editUsers*]

[DENY *powerUser* on */editUsers*]

I don't really like it though because I was to add another user Role, then I would have to edit a lot of ACLS. I would rather implicitly allow adminUser instead of having to deny all other user types.