jacky810124 · March 1, 2017 16:51
diff --git a/acl.js b/acl.js
 const express = require('express')
 const app = new express()

 const router = express.Router()

 const pathToRegexp = require('path-to-regexp')

 const permission = () => (req, res, next) => {

  const config = {
    user: {
      permissions: [
        {
          resource: '/api/users/:id/name',
          methods: ['GET'],
          action: 'DENY',
        }, {
          resource: '/api/users',
          methods: ['GET', 'POST'],
          action: 'ALLOW',
        }
      ]
    },
    admin: {
      permissions: [
        {
          resource: '/api/users/:id/name',
          methods: ['GET'],
          action: 'ALLOW',
        }
      ]
    }
 }

  const url = req.url
  const role = req.user.role
  const method = req.method.toUpperCase()
  const permissions = config[role]
    .permissions
    .filter(p => url.match(pathToRegexp(p.resource)) !== null)

  const permission = permissions[0]

  if (permissions.length === 0) {

    next()

  } else {

    const isMatch = permission.methods.map(m => m.toUpperCase()).indexOf(method) !== -1
    const isAllow = permission.action.toUpperCase() === 'ALLOW'

    if (!(isMatch ^ isAllow)) {

      next()

    } else {

      next({
        status: 403,
        message: 'NOTALLOW'
      })

    }

  }

 }

 router.get('/api/users', (req, res, next) => {
  res.status(200).json({ message: '/api/users' })
 })
 router.get('/api/users/:id/name', (req, res, next) => {
  res.status(200).json({ message: '/api/users/:id/name' })
 })
 router.post('/api/users', (req, res, next) => {
  res.status(200).json({ message: 'ok' })
 })
 router.patch('/api/users', (req, res, next) => {
  res.status(200).json({ message: 'ok' })
 })

 app.use((req, res, next) => {

  req.user = { role: 'user' }
  next()

 })

 app.use(permission())

 app.use(router)

 app.use((err, req, res, next) => {
  console.log(err)
  res.json(err)
 })

 app.listen(3001)
	const express = require('express')
	const app = new express()

	const router = express.Router()

	const pathToRegexp = require('path-to-regexp')

	const permission = () => (req, res, next) => {

	const config = {
	user: {
	permissions: [
	{
	resource: '/api/users/:id/name',
	methods: ['GET'],
	action: 'DENY',
	}, {
	resource: '/api/users',
	methods: ['GET', 'POST'],
	action: 'ALLOW',
	}
	]
	},
	admin: {
	permissions: [
	{
	resource: '/api/users/:id/name',
	methods: ['GET'],
	action: 'ALLOW',
	}
	]
	}
	}

	const url = req.url
	const role = req.user.role
	const method = req.method.toUpperCase()
	const permissions = config[role]
	.permissions
	.filter(p => url.match(pathToRegexp(p.resource)) !== null)

	const permission = permissions[0]

	if (permissions.length === 0) {

	next()

	} else {

	const isMatch = permission.methods.map(m => m.toUpperCase()).indexOf(method) !== -1
	const isAllow = permission.action.toUpperCase() === 'ALLOW'

	if (!(isMatch ^ isAllow)) {

	next()

	} else {

	next({
	status: 403,
	message: 'NOTALLOW'
	})

	}

	}

	}

	router.get('/api/users', (req, res, next) => {
	res.status(200).json({ message: '/api/users' })
	})
	router.get('/api/users/:id/name', (req, res, next) => {
	res.status(200).json({ message: '/api/users/:id/name' })
	})
	router.post('/api/users', (req, res, next) => {
	res.status(200).json({ message: 'ok' })
	})
	router.patch('/api/users', (req, res, next) => {
	res.status(200).json({ message: 'ok' })
	})

	app.use((req, res, next) => {

	req.user = { role: 'user' }
	next()

	})

	app.use(permission())

	app.use(router)

	app.use((err, req, res, next) => {
	console.log(err)
	res.json(err)
	})

	app.listen(3001)