Added role based middleware authorisation

meanjs · Apr 21, 2014 · 5eed915 · 5eed915
1 parent edd549d
commit 5eed915
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 8 deletions.
diff --git a/app/controllers/articles.server.controller.js b/app/controllers/articles.server.controller.js
@@ -123,7 +123,9 @@ exports.articleByID = function(req, res, next, id) {
  */
 exports.hasAuthorization = function(req, res, next) {
 	if (req.article.user.id !== req.user.id) {
-		return res.send(403, 'User is not authorized');
+		return res.send(403, {
+			message: 'User is not authorized'
+		});
 	}
 	next();
 };
diff --git a/app/controllers/users.server.controller.js b/app/controllers/users.server.controller.js
@@ -233,7 +233,9 @@ exports.userByID = function(req, res, next, id) {
  */
 exports.requiresLogin = function(req, res, next) {
 	if (!req.isAuthenticated()) {
-		return res.send(401, 'User is not logged in');
+		return res.send(401, {
+			message: 'User is not logged in'
+		});
 	}
 
 	next();
@@ -242,12 +244,20 @@ exports.requiresLogin = function(req, res, next) {
 /**
  * User authorizations routing middleware
  */
-exports.hasAuthorization = function(req, res, next) {
-	if (req.profile.id !== req.user.id) {
-		return res.send(403, 'User is not authorized');
-	}
+exports.hasAuthorization = function(roles) {
+	var _this = this;
 
-	next();
+	return function(req, res, next) {
+		_this.requiresLogin(req, res, function() {
+			if (_.intersection(req.user.roles, roles).length) {
+				return next();
+			} else {
+				return res.send(403, {
+					message: 'User is not authorized'
+				});
+			}
+		});
+	};
 };
 
 /**
@@ -339,7 +349,7 @@ exports.removeOAuthProvider = function(req, res, next) {
 		// Delete the additional provider
 		if (user.additionalProvidersData[provider]) {
 			delete user.additionalProvidersData[provider];
-			
+
 			// Then tell mongoose that we've updated the additionalProvidersData field
 			user.markModified('additionalProvidersData');
 		}