Any chance to integrate with mongo's built-in roles and privelliges?

I am not sure if this is a bug or maybe there is something wrong with my code...

The issue is that the user.can('access dashboard') strategy is being skipped (I checked using my debug tool. For some reason it's not even being considered.

var express = require("express"),
    passport = require("passport"),
    ConnectRoles = require('connect-roles');

var app = express();

var user = new ConnectRoles({
  failureHandler: function(req, res, action){
    res.status('403').render('403');
  }
});

app.use(passport.initialize());
app.use(passport.session());

app.use(function(req,res,next){
    res.locals.currentUser = req.user;
    next();
});

app.use(user.middleware());

//================== Connect Roles =======================

user.use('anonymous', function(req, action){
  if(!req.isAuthenticated()) return true;
});

user.use('access dashboard', function(req, action){
  if(req.user.id == req.params.user_id) return true;
});

//======================ROUTES============================
var homepage = require('./routes/homepage');
app.use('/', homepage);

// REGISTER ROUTES
var register = require('./routes/register');
app.use('/', user.is('anonymous'), register);

// LOGIN ROUTE
var login = require('./routes/login');
app.use('/', user.is('anonymous') ,login);

// DASHBOARD ROUTE
var dashboard = require('./routes/dashboard');
app.use('/', dashboard);

// CRAIGSLIST LISTING ROUTES
var listing = require('./routes/listing');
app.use('/', listing);

//LOGOUT
var logout = require('./routes/logout');
app.use('/', logout);

//ADMIN ROUTES
var admin = require('./routes/admin');
app.use('/admin', admin);

var pass = require('./routes/user-pass');
app.use('/', pass);


//Extra route I set for debugging
app.get('/user/:user_id', user.can('access dashboard'),function(req, res){
  res.send('Welcome to your dashboard');
});

app.listen(process.env.PORT || 3000, process.env.IP || 'localhost',function(){
    console.log("craigslist server has started");
});

Is there something wrong with my code?

The devDependency mocha was updated from 6.0.2 to 6.1.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

mocha is a devDependency of this project. It might not break your production code or affect downstream projects, but probably breaks your build or test tools, which may prevent deploying or publishing.

Your Greenkeeper Bot 🌴

I'm not getting it.
I see you have to use .use() for defining .can()

app.use('access private page', function (req) {
  if (req.user.role ==== 'moderator') {
    return true;
  }
})

app.get('/private', user.can('access private page'), function (req, res) {
  res.render('private');
});

But how do you define is('admin')
Is that the example?

user.use(function (req) {
  if (req.user.role === 'admin') {
    return true;
  }
});

//and later use
app.get('/admin', user.is('admin'), function (req, res) {
  res.render('admin');
});

I think I'm missing something.
there should be a way to define the role check.
Maybe i have to define like this?

user.use('admin', function (req) {
  if (req.user.role === 'admin') {
    return true;
  }

Is it expected to be recorded as string in req.user object?
I have an existing User model where i have level : 1,2,3, instead of role:'admin','moderator'?

user.use('admin', function (req) {
  if (req.user.level=== '3') {
    return true;
  }

Sorry if the answer for you is obvious, i just don't see it.

On line 93, the following code debug('Check Permission: ' + (req.user.id||req.user.name||"user") + throws an error when user is undefined - so basically any time the user is not authorized. The check itself works, it's just the debug statement that causes issues.

I am trying to migrate from express 3.0 to express 4.0 with success only if I remove connect-roles...
Here is my partial code:

var ConnectRoles    = require('connect-roles')
  , roles           = new ConnectRoles()
  ;

app.use(flash());
app.use(roles);

The last

app.use(roles);

is throwing me an error :

Error: Router.use() requires a callback functions but got a [object Object]

Maybe some api like this.

roles.use('edit user', ':userID')  

instead of

roles.use('edit user', '/user/:userID')

Express has 'param' method.
http://expressjs.com/api.html#app.param

i have inspected the connect-roles index.js, and i see that the debug messsage is not showing up. What i should do to make it work?

function tester(req, verb){
  return function(action){
    var result = null;
    for (var i = 0; i<functionList.length && result === null; i++){
      var fn = functionList[i];
      var vote = fn(req, action);
      if (typeof vote === 'boolean') {
        result = vote; //if no false it's true
      }
    }
//THIS IS NOT DISPLAYED IN MY CONSOLE
    debug('Check Permission: ' + (req[userProperty].id||req[userProperty].name||"user") +
        "." + (verb || 'can') + "('" + action + "') -> " + (result === true));
    return (result === true);
  };
}

How to set roles?

I'm trying to do something like app.post('/api/user/', User.is(Role.accountOwner), User.is(Role.secretariat), function(req,res,next){ do some stuff here} );

but doesn't work properly. When user's role is accountOwner everything works fine, if user is secreteriat throws forbidden because user is not accountOwner and the function that check if user is accountOwner throws null. In the documentation your said that the above line of code would work. Checking multiple user roles should work fine, but it doesn't. Could you provide more info or example on the issue?

I've got User schema with role parameter. I'm using your example with usage of connect-roles (I changed var user to var role and configured permissions:

role.use('profile.view', function (req) {
    if(req.user.role === 'user') {
       return true;
    }
});
role.use(function (req) {
    if (req.user.role === 'admin') {
        return true;
    }
});

Those are my configured routes:

app.get('/profile', role.can('profile.view'), function(req, res) {
  profile.profile(req, res);
});
app.get('/admin', role.is('admin.'), function(req, res){
    admin.admin(req, res);
});

In view I'm using

if userIs('admin')
    li
    a(href='/admin')
        |  Admin
li
    a(href='/profile')
        |  Profile
li
    a(href='/logout')
        |  Log Out

However I've issue when I've:

role.use(function (req) {
    if (req.user.role === 'admin') {
        return true;
    }
});

That: Cannot read property 'role' of undefined

When I'm deleting this rule it's working correct however I don't have admin menu.

Hi guys.

Setting User Roles

I'm missing in the readme where the user roles are set. I guess that I integrate into my passport strategy after successful authentication.

    UserModel.findOne { 'email': email, 'active': true }, (err, user) ->
      if err
        return done(err)
      if !user
        return done(null, false, {message: 'Emailadresse unbekannt'})
      if !user.validPassword(password)
        return done(null, false, {message: 'Passwort nicht korrekt'})

      req.appUser = {} if !req.appUser?
      switch user.permissionLevel
        when 'superAmdin'
          req.appUser.role = 'superAmdin'
       ...
      done null, user
    return

I have seen that there is an option to change the user userProperty. I have seen that passport also seems to use a req.user object if it is necessary to change the userProperty in passport as well it would be great to mention this.

Difference between roles.is/.can and user.is/can

Is there a difference? Can roles.is('myRole') be used within a route.

PS: At the moment I'm not understanding quite how to use connect-roles please give me a short feedback on:
http://stackoverflow.com/questions/31519736/connect-roles-define-user-roles-on-login-and-user-is-function

Version 10 of Node.js (code name Dubnium) has been released! 🎊

To see what happens to your code in Node.js 10, Greenkeeper has created a branch with the following changes:

• Added the new Node.js version to your .travis.yml

If you’re interested in upgrading this repo to Node.js 10, you can open a PR with these changes. Please note that this issue is just intended as a friendly reminder and the PR as a possible starting point for getting your code running on Node.js 10.

Your Greenkeeper Bot 🌴

Is there any way to use in views?

Maybe I'm missing something. It appears from the docs that you should be able to fall through to multiple roles, but does that only apply to catch all roles (like the admin example)?

For example, I'd like to or 2 roles, like:

app.get('/foo', user.is('superuser').or.can('do stuff');

Or potentially and 2 roles, like:

app.get('/foo', user.is('registered').and.can('do stuff');

There might be a better syntax (like using arrays) or passing a second param to mean and (if or is default).

app.get('/foo', user.is(['superuser', 'do stuff'], boolean);

Trying to set it up so that admin can see everything...

connectRule.use(function (req) {
  if(typeof req.user !== 'undefined'){
    req.user.role.active.contains('admin', function(found) {
      console.log("Something was found "+found);
      return found;
    })
  }
  else{
    return false;
  }
});

but I still get

Something was found true
GET /product/add 403 194ms - 60b

Meaning I am still getting a security error. Any idea what I am missing here? I could always be explicit.

I'm using connect-roles with passportjs and express. For now my code (snippets of it) looks like this..

// roles.js
import connectRoles from 'connect-roles';

export const roles = new connectRoles();

// routes.js
import { roles } from '../libs/roles';
...
...

roles.use((req, action) => {
  if (!req.isAuthenticated()) return action === 'access home page';
});

roles.use('access admin page', (req, action) => {
  if (req.user.role === 'admin') {
    return true;
  }
});

.get(passport.authenticate('jwt', { session: false }), roles.can('access admin page'), controller.TestController.getTest);

// app.js
...
...
import { roles } from '../libs/roles';

app.use(roles.middleware());

But since I want to be able to use the same rules on other routes then the ones in routes.js I need to put them into a module, but I'm not sure how I can do that. If anyone can point me in the right direction I would really appreciate that.

Thanks

Is there a way to have userIs with handlebars? I have tried a few ways with helpers with no joy.

Consider this example:

roles.use(function(req, action) {
  console.log('STRATEGY 1');
  if (!req.user.isAuthenticated) {
    console.log('RETURNING:', action === 'login');
    return action === 'login';
  } else {
    return null;
  }
});

roles.use(function(req) {
  console.log('STRATEGY 2');
  if (req.user.roles.indexOf('admin') >= 0) {
    console.log('RETURNING: true');
    return true;
  } else {
    return false;
  }
});

In my console I get the following:

STRATEGY 1
RETURNING: true
STRATEGY 2
TypeError: Array.prototype.indexOf called on null or undefined

The readme tells me that if a strategy returns either true or false, all subsequent strategies are ignored and the user is considered "allowed" or "denied". According to this example, that's not what's happening. I return true from the first one, and it runs the next one anyway (failing because no user is logged in).

I have an issue with connect-roles 3.1.1 where :

• I'm using Express 3.x (legacy app)
• passport is OK (blocking if not connected)
• connect-role strategies are ok : returning true if the connected user has the right role ; user with the wrong role fire the failureHandler as expected

but :

• when strategy returns true, the result is 404 and my route is never called.

I wasn't sure where else to ask this.
How do I do an async auth strategy?

e.g. I have a role of editing their own resources -- so I match the credentials to the resource edit request.

But this new case is I want to allow the owner of many sub-accounts to edit the resource. So in that case, I need to do a query to find the owner of that account. (But only if other role-checks fail)

(or maybe I can do this a different way...)

So, is there some way to do async in the AuthorisationStrategy? there's no next(); to not call like in connect middleware...

Thanks!

In the docs in the dynamic section https://github.com/ForbesLindesay/connect-roles#dynamic

req.params doesn't seem to work. I was testing with restify with is supposed to emulate connect regarding middleware.

I checked your server.js example, and you used this.params, and that worked.

So the two req.params.userid should be this.params.userid

I was banging my head on that for a few minutes...

It would be useful to be able to have something like:

app.get('/', user.isAuthenticated, showAuthenticatedHomePage);
app.get('/', showAnonymousHomePage);

That API wouldn't be sufficient to differentiate between that and:

app.all('/admin*', user.is('admin'));
app.get('/admin/settings', showSettingsPage);

Perhaps we could support something like:

app.get('/', user.is('admin').here, showAdminHomePage);
app.get('/', user.isAuthenticated.here, showAuthenticatedHomePage);
app.get('/', showAnonymousHomePage);

The worst crime when writing JavaScript code - throwing something that isn't an instanceof Error

Hi.

Any way to enable route access grouping?
So I don't add {}.can('access private page') for every route?

https://github.com/then/promise

Promise.from is deprecated

i read permission from database...
this is done just 1 time after loading program...
if i update permission for any roles,the changes does not take effect until i restart my api server

let ConnectRoles = require('connect-roles');
const Permission = require('./permission');
let gate = new ConnectRoles({
  failureHandler: function (req, res, action) {
       var accept = req.headers.accept || '';

       // res.status(403);
       if (accept.indexOf('html')) {

           // res.render('errors/403', { action });
         return  res.json({isSuccess: false, type: "error",title: "شما دسترسی ندارید"});

       } else {

           return   res.json({isSuccess: false, type: "error",title: "شما دسترسی ندارید"});
       }
  }
});

//this function run 1 time

let permissions = async () => {
  
    return await Permission.find({}).populate('roles').exec();
}


permissions()
    .then(permissions => {
        console.log(permissions)
        permissions.forEach(permission => {
            let roles = permission.roles.map(item => item._id);
            gate.use(permission.title , (req) => {
          

                return req.user.hasRole(roles);

            });
        })
    });



module.exports = gate;

//authenticate jwt
app.use(gate.middleware());

The dependency promise was updated from 8.0.3 to 8.1.0.

🚨 View failing branch.

This version is covered by your current version range and after updating it in your project the build failed.

promise is a direct dependency of this project, and it is very likely causing it to break. If other packages depend on yours, this update is probably also breaking those in turn.

Your Greenkeeper Bot 🌴

I'm getting some undesired side effect when using connect-roles in conjuntion with Passport.

It seems that when connect-roles defines the user object in attachHelpers(), it causes passport to wrongly detect user as being authenticated.

Passport uses the following code to check for user authentication:

req.isAuthenticated = function() {
  var property = 'user';
  if (this._passport && this._passport.instance._userProperty) {
    property = this._passport.instance._userProperty;
  }

  return (this[property]) ? true : false;
};

So, checking for "this[property]" always return true after connect-roles has called attachHelpers():

function attachHelpers(req, obj) {
  var oldUser = req.user;
  obj.user = req.user || Object.create(defaultUser);
  if(oldUser){
    obj.user.isAuthenticated = true;
  }else{
    obj.user.isAuthenticated = false;
  }
  if(obj.user){
    obj.user.is = tester(req,'is');
    obj.user.can = tester(req,'can');
  }
}

Is there any way to get both libraries to collaborate ?

Thanks

Version 4.0.0 of mocha just got published.

This version is covered by your current version range and after updating it in your project the build failed.

As mocha is “only” a devDependency of this project it might not break production or downstream projects, but “only” your build or test tools – preventing new deploys or publishes.

I recommend you give this issue a high priority. I’m sure you can resolve this 💪

Your Greenkeeper Bot 🌴

The actual failureHandler signature is req, res, act so the response has to be handled here. If we want to handle it elsewhere, there is only one option: throw an error in failureHandler like:

failureHandler: function (req, res, act) {
  throw new Error();
});

It would have been easier to change the method signature to req, res, next, act. So the above code could be:

failureHandler: function (req, res, next, act) {
  next(new Error());
});

I'm learning meanjs and i learned that one of the best authorization to be combined with passportjs authentication is connect-roles. I can't found any documentation on how to use connect-roles and passportjs together on the fullstack meanjs. Can you please provide one? Thank you

Hello,

with the new routers of express 4, I redid my app layout andended up having several mount points.

e.g.

self.express.designer.use('/api/v1', self.express.api);

These mountpoints get stripped in the req.url attribute, so everything below is agnostic to it.

e.g.

req.url: /users/7/apps/12/versions/12/hasAppInstance
req.path: /api/v1/users/7/apps/12/versions/12/hasAppInstance

Your module though is using req.path instead of req.url ind use3. I "fixed" it locally and I could also provide a pull request, although the change is really pretty minor.

I just wanted to know if I am missing sth when implementing this proposed bugfix.

Kind Regards

The link in description of github is broken.

404

Hello,

(res.sendStatus || res.send).bind(res)(status);

keeps backward compatibility and silences express 4.1x.

can you give a full example on express with passport,

no example ......

In http://documentup.com/ForbesLindesay/connect-roles
app.use(user);

In README
app.use(user.middleware());

which one is correct?

Also, can you add a note on what app.use(user); or app.use(user.middleware()); will do?

Template render error: (/src/vhosts/portal/views/cloud/cloud/notifications.html) [Line 3, Column 26]
TypeError: roles.test is not a function

nodejs: latest 6
express with nunjucks templates engine