Access Control List based authentication on routes made as simple as it can get.

• Angular 1.4+ as MV* framework
• UI-Router as your router module

Permission helps you gain control of your routes, by using simple concepts for you to decide who can access them. I've seen plenty of big fat tutorials on access control implementations, and they can be quite overwhelming. So I bring you a simple, powerful, straightforward solution.

bower install angular-permission --save

npm install angular-permission --save

angular.module('yourModule', [..., 'permission', 'ui-router', ...]);

Important! Angular permission is using ui-router state decoration to be able to inherit permissions/roles from parent states. So make sure that permission dependency is included before ui-router as in example above.

So, how do you tell Permission what does 'anonymous', 'admin' or 'foo' mean and how to know if the current user belongs to those definitions?

Well, Permission allows you to set different 'permissions' definitions along with the logic that determines if the current session belongs to them. To do that library exposes special container PermissionStore that allows you to manipulate them freely.

// Let's imagine we have a User service which has information about the current user in the session
// and is undefined if no session is active
//
// We will define the following permissions:
// anonymous: When there is not user currently logged in
// normal: A user with isAdmin = false
// admin: A user with isAdmin = true

angular
  .module('fooModule', ['permission', 'user'])
  .run(function (PermissionStore, User) {
    // Define anonymous permission
    PermissionStore
      .definePermission('anonymous', function (stateParams) {
        // If the returned value is *truthy* then the user has the permission, otherwise they don't
        if (!User) {
          return true; // Is anonymous
        }
        return false;
      });
  });

Sometimes you will need to call some a back-end api or some other asynchronous task to define the permission. For that you can use promises:

angular.module('barModule', ['permission', 'user'])
  .run(function (PermissionStore, User, $q) {
    PermissionStore
      // Define user permission calling back-end
      .definePermission('user', function (stateParams) {
        // This time we will return a promise
        // If the promise *resolves* then the user has the permission, if it *rejects* (you guessed it)

        // Let's assume this returns a promise that resolves or rejects if session is active
        return User.checkSession();
      })
      
    PermissionStore
      // A different example for admin
      .definePermission('admin', function (stateParams) {
        var deferred = $q.defer();

        User.getAccessLevel()
          .then(function (data) {
            if (data.accessLevel === 'admin') {
              deferred.resolve();
            } else {
              deferred.reject();
            }
          }
          .catch(function () {
            // Error with request
            deferred.reject();
          });

        return deferred.promise;
      });
  });

You can also set many permissions which share the same validator. This is useful when you have some central service which handles the validation.

To define many permissions which share one validator callback, use defineManyPermissions(<array>, <validator function>)

PermissionStore.defineManyPermissions(arrayOfPermissionNames, function (stateParams, permissionName) {
  return User.hasPermissionDefinition(permissionName);
});

or use internal Permission service to check if user has one of permissions:

PermissionStore.defineManyPermissions(arrayOfPermissionNames, function (stateParams, permissionName) {
  return Permission.hasPermissionDefinition(permissionName);
});

You can easily remove all permissions after user logged out or switched profile:

PermissionStore.clearStore();

Alternatively you can use removePermissionDefinition to delete defined permissions manually:

PermissionStore.removePermissionDefinition('user');

To get all user permissions use method getStore:

var permissions = PermissionStore.getStore();

Similarly to permissions Permission exposes RoleStore that allows to define custom roles used by users in your application. They can relate to already existing permissions, so 'Accountant' can be set of 'User' and 'InvoiceEditor' or alternatively custom server/browser validated privilege.

angular
  .module('fooModule', ['permission', 'user'])
  .run(function (RoleStore, User) {
    RoleStore
      // Permission array validated role
      // Library will internally validate if 'user' and 'editor' permissions are valid when checking if role is valid   
      .defineRole('admin', ['user', 'editor']);  
      
    RoleStore    
      // Server side validated role
      .defineRole('accountant', [], function (stateParams) {
        // Let's assume that we are making a request to server here and return response as promise        
        return User.hasRole('accountant');
      });
  });

To remove all roles after user logged out or switched profile use:

RoleStore.clearStore();

Alternatively you can use removeRoleDefinition to delete defined role manually:

RoleStore.removeRoleDefinition('user');

To get all user roles use method getStore:

var roles = RoleStore.getStore();

Angular permission rely on ui-router's data property, reserving key permissions for routes which requires authorization.

Permissions object accepts following parameters:

• only [Array|Function|Promise] - set of allowed permissions/roles
• except [Array|Function|Promise] - set of denied permissions/roles
• redirectTo [String|Function|Object|Promise] - redirection configuration when state permissions/roles are not met

// We define a route via ui-router's $stateProvider
$stateProvider
  .state('staffpanel', {
    url: '...',
    data: {
      permissions: {
        only: ['admin', 'moderator']
      }
    }
  });

You can either set an only or an except array.

// Let's prevent anonymous users from looking at a dashboard
$stateProvider
  .state('dashboard', {
    url: '...',
    data: {
      permissions: {
        except: ['anonymous']
      }
    }
  });

Another thing you can do is set redirectTo property that will handle unmatched permission redirection:

$stateProvider
  .state('dashboard', {
    url: '...',
    data: {
      permissions: {
        except: ['anonymous'],
        redirectTo: 'login'
      }
    }
  });

Property redirectTo can also accept function:

$stateProvider
  .state('agenda', {
    data: {
      permissions: {
        only: ['manager'],
        redirectTo: function(){
          return 'auth';
        }
      }
    }
  })

Important! Remember to always return route's state. Otherwise errors will thrown from either Permission or UI-Router library.

or object with map of permissions/roles:

$stateProvider
  .state('agenda', {
    data: {
      permissions: {
        only: ['manager'],
        redirectTo: {
          account: 'profile',
          user: function(){
            return 'dashboard';
          },
          default: 'auth'
        }
      }
    }
  })

Important! Remember define default property that will handle fallback redirect for not defined permissions. Otherwise errors will thrown from either Permission or UI-Router library.

Permission module exposes directive permission that can show/hide elements of your application based on set of permissions.

Directives accepts either single permission that has to be met in order to display it's content:

<div permission only="'loggedIn'">
  <span>Congrats! You are logged in.</span>  
</div>

Or set of permissions separated by 'coma':

<div permission except="['user','admin']">
  <span>You are not 'admin' nor 'user'.</span>  
</div>

Important! When using async calls to fetch permissions in initial states make sure that modules (or app) are waiting for permissions to be resolved before running them:

[index.html]
<div ui-view="root" ng-if="appReady"><div>

And in app module:

 var app = ng.module('app', ['permission']);
 
 app.run(function($rootScope, User){
   User
    .fetchPermission()
    .then(function(){
      $rootScope.appReady = true;
    })
 })

• $stateChangePermissionStart: This event is broadcasted before perform authorize.

  $rootScope.$on('$stateChangePermissionStart',
  function(event, toState, toParams, options) { ... });

• $stateChangePermissionAccepted: This event is broadcasted when one of the permissions has been accepted and the state changes successfully.

  $rootScope.$on('$stateChangePermissionAccepted',
  function(event, toState, toParams, options) { ... });

• $stateChangePermissionDenied: This event is broadcasted when the access to the target state is not granted (no permissions found on the only array or at least one permission found on the except array). This is when the state stays the same or is changed based on the redirectTo option.

  $rootScope.$on('$stateChangePermissionDenied',
  function(event, toState, toParams, options) { ... });

Because of a bug in ui-router, when using $urlStateProvider.otherwise we get an infinite digest loop error. A workaround was found by @shoaibmerchant and it goes like this:

// Normal usage (creates INFDG error)
$urlRouterProvider.otherwise('/somestate');

// Instead
$urlRouterProvider.otherwise( function($injector) {
  var $state = $injector.get("$state");
  $state.go('/somestate');
});

The correct way to contribute is:

1. Create a branch from the development branch
2. Implement your new feature
3. Submit a pull request to be merged in the development branch
4. Remember to run grunt build before your last commit

• Rafael Vidaurre
• @narzerus
• I'm a full-stack developer currenly working as CTO and Co-Founder at Finciero