I want to give user role access permission for multiple users.

Question

0.00/5 (No votes)

See more:

i've four users super admin, admin, hod and data entry operator. super admin can access everything. but admin ,hod and data entry operator have limited access all the things should be handle in backend.

but below array i put all the api's url which user can access but when i pass id its is present in array and shows

You have no access to update data.

for example :-

"/api/masters/wing/getWing/{id}"

this is present in array but

req.originalUrl

got

"/api/masters/wing/getWing/1"

and it throw error.

You have no access to update data.

how can i match url with array.

What I have tried:

if (
           data.userroles[0].role != "Super Admin" &&
          (!Auth.aceessList[data.userroles[0].role] ||
            !Auth.aceessList[data.userroles[0].role].some((d) => req.originalUrl.includes(d)))
         ) {
           throw new Error("You have no access to update data.");
        }

and below is the array of api's that user can access.

static get aceessList() {
    return {
      ["Admin"]: [
        "/api/masters/wing/manageWing",
        "/api/masters/departments/managedepartment",
        "/api/masters/supplier/managesupplier",
        "/api/masters/expensehead/manageexpensehead",
        "/api/masters/subHead/manageSubHead",
        "/api/user/save-member",
        "/api/user/changepassword",
        "/api/masters/budget/getbudgetlist",
        "/api/masters/budget/getbudgetbywing",
        "/api/masters/budget/getbudgetbyexpensehead/{expense_head_id}/{sub_head_id}",
        "/api/masters/budget/getbudgetbyduration",
        "/api/masters/budget/getbudget",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheaderlist",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheader/{id}",
        "/api/masters/purchaserequisitionheader/getprdetailsList",
        "/api/masters/purchaserequisitionheader/managepurchaserequisitionheader"
      ],
      ["Data Entry Operator"]: [
        "/api/admin/upload-data",
        "/api/admin/upload-income-data",
        "/api/masters/purchaserequisitionheader/managepurchaserequisitionheader"
      ],
      ["HOD"]: [
        "/api/masters/wing/manageWing",
        "/api/masters/departments/managedepartment",
        "/api/masters/supplier/managesupplier",
        "/api/masters/expensehead/manageexpensehead",
        "/api/masters/subHead/manageSubHead",
        "/api/user/save-member",
        "/api/user/changepassword",
        "/api/masters/departments/managedepartment",
        "/api/masters/budget/getbudgetlist",
        "/api/masters/budget/getbudgetbywing/{wing_id}/{department_id}",
        "/api/masters/budget/getbudgetbyexpensehead/{expense_head_id}/{sub_head_id}",
        "/api/masters/budget/getbudgetbyduration",
        "/api/masters/budget/getbudget/{id}",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheaderlist",
        "/api/masters/purchaserequisitionheader/getpurchaserequisitionheader",
        "/api/masters/purchaserequisitionheader/getprdetailsList",
        "/api/masters/purchaserequisitionheader/managepurchaserequisitionheader",
        "/api/masters/departments/getdepartmentlist",
        "/api/masters/departments/getdepartment/{id}",
        "/api/masters/departments/managedepartment",
        "/api/masters/wing/getWingList",
        "/api/masters/wing/getWing/{id}"
      ]
    };
  }

Posted 5-Apr-23 20:59pm

Member 15926609

Updated 5-Apr-23 22:06pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2023-04-05T22:06:00

The simplest option is probably to change your access list templates to regular expressions. That way, you can also express constraints on the type of data accepted by the parameters.

JavaScript

class Auth {
    static get accessList() {
        return {
            ["Admin"]: [
                /^\/api\/masters\/wing\/manageWing$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/supplier\/managesupplier$/,
                /^\/api\/masters\/expensehead\/manageexpensehead$/,
                /^\/api\/masters\/subHead\/manageSubHead$/,
                /^\/api\/user\/save-member$/,
                /^\/api\/user\/changepassword$/,
                /^\/api\/masters\/budget\/getbudgetlist$/,
                /^\/api\/masters\/budget\/getbudgetbywing$/,
                /^\/api\/masters\/budget\/getbudgetbyexpensehead\/(\d+)\/(\d+)$/,
                /^\/api\/masters\/budget\/getbudgetbyduration$/,
                /^\/api\/masters\/budget\/getbudget$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheaderlist$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheader\/(\d+)$/,
                /^\/api\/masters\/purchaserequisitionheader\/getprdetailsList$/,
                /^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/
            ],
            ["Data Entry Operator"]: [
                /^\/api\/admin\/upload-data$/,
                /^\/api\/admin\/upload-income-data$/,
                /^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/
            ],
            ["HOD"]: [
                /^\/api\/masters\/wing\/manageWing$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/supplier\/managesupplier$/,
                /^\/api\/masters\/expensehead\/manageexpensehead$/,
                /^\/api\/masters\/subHead\/manageSubHead$/,
                /^\/api\/user\/save-member$/,
                /^\/api\/user\/changepassword$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/budget\/getbudgetlist$/,
                /^\/api\/masters\/budget\/getbudgetbywing\/(\d+)\/(\d+)$/,
                /^\/api\/masters\/budget\/getbudgetbyexpensehead\/(\d+)\/(\d+)$/,
                /^\/api\/masters\/budget\/getbudgetbyduration$/,
                /^\/api\/masters\/budget\/getbudget\/(\d+)$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheaderlist$/,
                /^\/api\/masters\/purchaserequisitionheader\/getpurchaserequisitionheader$/,
                /^\/api\/masters\/purchaserequisitionheader\/getprdetailsList$/,
                /^\/api\/masters\/purchaserequisitionheader\/managepurchaserequisitionheader$/,
                /^\/api\/masters\/departments\/getdepartmentlist$/,
                /^\/api\/masters\/departments\/getdepartment\/(\d+)$/,
                /^\/api\/masters\/departments\/managedepartment$/,
                /^\/api\/masters\/wing\/getWingList$/,
                /^\/api\/masters\/wing\/getWing\/(\d+)$/
            ]
        };
    }
};

JavaScript

if (data.userroles[0].role != "Super Admin") {
    const accessList = Auto.accessList[data.userroles[0].role];
    if (!accessList || !accessList.some(d => req.originalUrl.match(d))) {
        throw new Error("You have no access to update data.");
    }
}