Grant any action with restrictions

[simoami]

@onury

I have 3 roles: member, admin, owner. where the owner can update all user records, and admin can update all user records BUT the owner record. The reasoning is simply that the account owner can create admins in the app who shouldn't have powers to oust the owner.
Is there a recommended technique to express this tree of permissions?

If not, my suggestion is the following:

ac.grant('owner').updateAny('user')
ac.grant('admin').updateAny('user').where('/role neq "owner"') // possible with the help of spleen 
// or with sift.js 
ac.grant('admin').updateAny('user').where({ role: { $neq: 'owner' }})

Normal check:

let permission = ac.can('admin').updateAny('user');
permission.granted // true

If the target resource / user is supplied as second argument to can(role, data), the where clause is invoked:

// ownerRecord.role == 'owner'
permission = ac.can('admin', ownerRecord).updateAny('user');
permission.granted // false

I believe this new feature will unleash a wide range of new capabilities previously not possible, including the new ways to check possession internally!

[truetechcode]

I think this concern has been addressed in the docs.

// user role inherits viewer role permissions
ac.grant('user').extend('viewer');
// admin role inherits both user and editor role permissions
ac.grant('admin').extend(['user', 'editor']);
// both admin and superadmin roles inherit moderator permissions
ac.grant([ 'owner']).extend('admin');