Skip to content

Instantly share code, notes, and snippets.

@facultymatt
Last active April 16, 2024 09:31
Show Gist options
  • Save facultymatt/6370903 to your computer and use it in GitHub Desktop.
Save facultymatt/6370903 to your computer and use it in GitHub Desktop.
Roles and permissions system for Nodejs

ACL / Roles + Permissions

https://github.com/djvirgen/virgen-acl Simple and elegant, create your own checks. No middleware?

https://github.com/OptimalBits/node_acl Use as middleware, create your own roles and access. Great choice.

https://github.com/tschaub/authorized Similar to connect roles... but a bit more robust? you can create roles and action, and associate many roles with that action

https://github.com/scottkf/ability-js Like canCan for rails. This is a traditional controller / function type permission system. May be too abstract.

https://github.com/dresende/node-roles More traditional setRole() hasRole() based checking. Last activity 2 years ago.

https://github.com/carlos8f/node-relations Natural language style roles. Looks very promising and is in active development

https://github.com/ForbesLindesay/connect-roles Simple and closer to action / natural language based. Requires writing your own checks for each.

https://github.com/ajlopez/SimplePermissions Maybe too simple? Makes sense for assigning roles but then its hard to check against roles!

https://npmjs.org/package/entitlement Not ideal but here for reference sake.

Mongoose Field Access Control

https://github.com/codedoctor/mongoose-plugins-accessible-by Set access per field of mongoose Schema. Not supported or maintained, and noted as not a perfect fit in all cases... but worth considering as a simple way to control access to fields.

@chichivica
Copy link

chichivica commented Feb 16, 2017

current popularity rank (based on npmjs.com dowloads count)

  1. acl
  2. connect-roles
  3. authorized
  4. virgen-acl
  5. permission
  6. ability
  7. simplepermissions
  8. entitlement

@KieronWiltshire
Copy link

@onury
Copy link

onury commented May 10, 2017

Here is my approach https://github.com/onury/accesscontrol
Example:

var permission = ac.can(role).createOwn(resource);
if (permission.granted) {
    // do stuff...
} else {
    console.log('Forbidden');
}

@kabala
Copy link

kabala commented Jul 25, 2017

Thx so much!

@AGhost-7
Copy link

AGhost-7 commented Dec 27, 2017

Shameless plug! : https://github.com/AGhost-7/o-is/tree/master/packages/access-mate

Above is an attribute-based access control library. It is designed to be as flexible as possible by using conditions instead of roles. One can implement RBAC or whatever they want using conditions. Module also supports field-level access control that isn't supported by most of the modules listed here.

@SylvainEstevez
Copy link

If you wish to enhance the list, we wrote this with my team: https://github.com/bluebirds-blue-jay/access-control

@mxmzb
Copy link

mxmzb commented Apr 9, 2018

Here is the real cancan for node.js: https://github.com/vadimdemedes/cancan

@chinookng
Copy link

@pak11273
Copy link

pak11273 commented Aug 4, 2018

I'm surprised https://github.com/stalniy/casl isn't on the list

@sedzd
Copy link

sedzd commented Dec 11, 2018

I'm surprised https://github.com/stalniy/casl isn't on the list

exactly!

@PuzoLiang
Copy link

awesone. thank you guys

@HighSoftWare96
Copy link

Nobody talks about https://casbin.org/?

@ChaitanyaBabar
Copy link

ChaitanyaBabar commented May 22, 2020

@hackerunet
Copy link

Does anybody knows a way to have multiorganization roles permissions? I need to create permisssions dynamically depending on customers organizations, which means, I have system permissions, I have each company permissions and the name of the role and it's permissions is not unique, which means a company A could have a Role A and the company B could have Role A, then Role A of company A and Role A of Company B have the same name but different actions associated. So the customers in Company A access their own permissions and Company B access their own permissions.

@hsluoyz
Copy link

hsluoyz commented Sep 11, 2020

@hackerunet you can try Casbin's RBAC model with domains: https://casbin.org/docs/en/rbac-with-domains

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment