Now that roles ships as a Meteor core package (roles@1.1.0), jam:method could offer first-class permission enforcement in createMethod config, instead of each app re-implementing an auth before hook for it.
A built-in option would make the common "this method requires permission X in scope Y" case declarative, consistent, and harder to forget.
Proposed API
createMethod({
name: 'foo.bar',
// global scope
permission: 'foo.admin',
// or scoped, with the scope value read from the method args
permission: { name: 'foo.admin', scope: async/sync (args /* from method call */) => {...} | 'stringScope' },
async run(args) { /* ... */ },
});
Semantics:
- Runs as first before hook
- Unauthenticated (!this.userId) or missing role → throws a standard Meteor.Error('forbidden', ...).
Open followup questions:
- What would be the best way to prevent forgetting to set permissions (deny by default approach, similar to "open")?
If you think it would be a nice addition, let me know and I will get started on a PR
Now that roles ships as a Meteor core package (roles@1.1.0), jam:method could offer first-class permission enforcement in createMethod config, instead of each app re-implementing an auth before hook for it.
A built-in option would make the common "this method requires permission X in scope Y" case declarative, consistent, and harder to forget.
Proposed API
Semantics:
Open followup questions:
If you think it would be a nice addition, let me know and I will get started on a PR