Roles and Permissions

Access Control

You can set permissions on each model for user groups which you can define yourself. There are also a few special groups: * all -- All users, whether they authenticate or not. * owner -- The user who created an item. This requires the model to have a _owner_id property (see the above example). * user -- Any authenticated user. * admin -- Any admin user.

Each group can have one, some or all of the following permissions: * c -- Create -- the ability to create a new record (a POST operation) * r -- Retrieve -- the ability to read a record or all records (a GET operation) * u -- Update -- the ability to update an existing record (a PUT operation) * d -- Delete -- the ability to delete an existin record (a DELETE operation)

The permissions are defined in the model as follows:

TestSchema.set("_perms", {
    admin: "crud", // CRUD = Create, Retrieve, Update and Delete
    owner: "rud",
    user: "cr",
    all: "r" // Unauthenticated users will be able to read from test, but that is all

In this case, the admin and record owner have full permissions. (We don't need to set "create" for the owner, obvz.) An authenticated user can create and retrive records. Everyone can read everything.

To make a model completely private, just don't set the perms.


You can add and remove groups to a user with the /groups/:user_id endpoint. The group will be automatically created if it doesn't already exist.

  • GET gets all the groups for the user
  • PUT adds a group
  • POST rewrites the user's groups
  • DELETE deletes the matching group

The field needs to be named group. You can even have an array of groups, eg. group[0], group[1] etc.


Note that you'll need to authenticate as an admin through one of the methods described for these examples

Set the user's group to test

curl -X POST -F "group=test" "http://localhost:3001/groups/5485bd62fbad8791660d2658"

Add the groups test1 and test2

curl -X PUT -F "group[0]=test0" -F "group[1]=test1" "http://localhost:3001/groups/5485bd62fbad8791660d2658"

Adding custom permission logic

Maybe you want to do some more checks on permissions than the "crud" we offer. You can catch the user object in your model as a virtual attribute. (I suppose you could use a real Mixed attribute too.)


var sender;

LedgerSchema.virtual("__user").set(function(usr) {
    sender = usr;

And then later, say in your pre- or post-save...

(!sender.admin)) {
    return next(new Error( "Verboten!"));