Identity Based Access Control

[HenriqueSilverio]

As mentioned here:

Typical example: users can edit their own comments but can only read other users comments. So having a role that either grants or deny edit permissions to the resource comment/edit is not good enough. The permission depends on which comment the user is accessing.

Other example here:

Let me give you an example based on a blogging platform where a writer can create a blog post and then open it up for editing — should the writer role also allow to rewrite every post in the system? Probably not. We need to first check if they are the owner of the post.

Is there a way to achieve that?

[tguelcan]

Any news? I also have the challenge to check if the user is also the author

[HenriqueSilverio]

Currently I found some alternatives:

• fast-rbac
• rbac
• easy-rbac
• virgen-acl

[tguelcan]

We have developed our own stack (restexpress.dev) and have expanded the existing express-acl. I hope it can help you!

https://restexpress.dev/#/src/services/express/README