noonjs uses a permissions-based system with * for visitors. If a role, such as "admin" is set to true, it grants full permissions, allowing the admin to create, read, update, and delete without any restrictions. If * is set to true, everyone has full access to the collection. The system allows customization of the four methods GET, POST, PATCH, and DELETE for each role.
In this example, everybody has full access to the todos collection. Anyone can create, read, update, and delete todos without restriction.
{
"todos": {
"schema": { ... },
"permissions": {
"*": true
}
}
} In this example, users can only read todos, while admins have full access to the todos collection.
{
"todos": {
"schema": { ... },
"permissions": {
"user": {
"get": true
},
"admin": true
}
}
}In this example, users can only read their own todos. They can post a new todo with only a title, and when a new document is added, a signal is sent to the respective user’s clients. Users can update their own todos, and after patching, no events are fired.
{
"todos": {
"schema": { ... },
"permissions": {
"user": {
"get": {
"q": {
"user": "$.auth._id"
}
},
"post": {
"pick": ["title"],
"io": {
"$.user": ["_id"]
}
},
"patch": {
"q": {
"user": "$.auth._id"
},
"pick": ["title"]
}
}
}
}
}