Consider using connect-roles to define permissions
https://github.com/ForbesLindesay/connect-roles
This middleware provides an interface for defining permissions and checking permissions when an API endpoint is called.
const roles = new ConnectRoles()
api.use(roles.middleware())
roles.use('create collection', function (req) {
return req.user
})
roles.use('update collection', function (req) {
return req.user.admin || req.collection.isOwner(req.user)
})
api.post('/', authBearer, roles.can('create collection'), (req, res, next) => {
…
}
api.put('/:collection', authBearer, roles.can('update collection'), (req, res, next) => {
…
}
This allows permissions to be defined quite cleanly, as long as the request object contains all the information that's needed to make the decision.
There isn't a way to provide a specific object as an extra parameter, so this wouldn't handle cases where permissions need to be checked while filtering an array of items.
The module is quite simple and hasn't been updated in a while, so it may be possible to extend it as needed.