Updating to allow a list of roles to be retrieved, allowing resources to have multiple levels of role that they can be accessed via.

packages/auth/src/security/roles.js

@@ -231,7 +231,8 @@ exports.getRequiredResourceRole = async (
   { resourceId, subResourceId }
 ) => {
   const roles = await exports.getAllRoles(appId)
-  let main, sub
+  let main = [],
+    sub = []
   for (let role of roles) {
     // no permissions, ignore it
     if (!role.permissions) {
@@ -240,12 +241,13 @@ exports.getRequiredResourceRole = async (
     const mainRes = role.permissions[resourceId]
     const subRes = role.permissions[subResourceId]
     if (mainRes && mainRes.indexOf(permLevel) !== -1) {
-      main = role
+      main.push(role._id)
     } else if (subRes && subRes.indexOf(permLevel) !== -1) {
-      sub = role
+      sub.push(role._id)
     }
   }
-  return sub ? sub : main
+  // for now just return the IDs
+  return main.concat(sub)
 }
 
 class AccessController {

packages/server/src/middleware/authorized.js

@@ -46,13 +46,15 @@ module.exports =
       idOnly: false,
     })
     const permError = "User does not have permission"
-    let requiredRole
+    let possibleRoleIds = []
     if (hasResource(ctx)) {
-      requiredRole = await getRequiredResourceRole(ctx.appId, permLevel, ctx)
+      possibleRoleIds = await getRequiredResourceRole(ctx.appId, permLevel, ctx)
     }
     // check if we found a role, if not fallback to base permissions
-    if (requiredRole) {
-      const found = hierarchy.find(role => role._id === requiredRole._id)
+    if (possibleRoleIds.length > 0) {
+      const found = hierarchy.find(
+        role => possibleRoleIds.indexOf(role._id) !== -1
+      )
       return found ? next() : ctx.throw(403, permError)
     } else if (!doesHaveBasePermission(permType, permLevel, hierarchy)) {
       ctx.throw(403, permError)