Access control for API calls in EQUIP is controlled per-call basis, to allow for access through groups. Eventually, we'd like to move towards a system that uses methods from the object as recommended by current meteor best practices.
When contributing to the code, please follow all meteor best practices, including those mentioned on meteor's developer guide.
Access control is done through the use of the
checkAccess() function in
helpers/access.js. This is to allow the access (edit, view, etc.) by users to which that entity has been shared. The functin is called with the entity's
_id, the type, and the access level required. The
view level is used when copying/duplicating content, the
edit level when modifying content,
delete when deleting content, and
admin are used by groups.
As there is currently no versioning,
edit access has the potential to be as destructive as
delete, so giving this permission should be used carefully.
If the user owns the entity, the access level is ignored and the user is allowed to do anything. If the access check fails, a
Meteor.error is thrown with a descriptive message.