I have an application where users can have several of different type of roles
Static Roles: each determines a different level of permissions, a user is mapped to one of these roles
- adminUser
- powerUser
- baseUser
Dynamic Role:
- accountMember: this role is assigned if the resource the user is trying to access belongs to the same account.
Now, let's say I have two endpoints:
- /addUsers : in order to access this endpoint, a user needs to have the adminUser role as well as the accountMember role
adminUser && accountMember
- /editUsers : in order to access this endpoint, a user needs to have the adminUser or powerUser role, as well as the accountMember role. e.g.
(powerUser || adminUser) && accountMember
Assuming the roles are applied properly, how would I implement the AND/OR logic using loopback's ACLS array?
Here is the flow I came up with for
(powerUser || adminUser) && accountMember
and for
adminUser && accountMember
I don't really like it though because I was to add another user Role, then I would have to edit a lot of ACLS. I would rather implicitly allow adminUser instead of having to deny all other user types.