[annotator-dev] Permissions plugin

Jamie M Folsom jfolsom at MIT.EDU
Wed Aug 29 21:12:39 UTC 2012

There was an rookie error in my last email, corrected here:
current_user.id instead of current_user.email. Those and all other 
tokens in this code are replaced at render time by the Rails app.

The last line here does return true as expected, but I if simply want to assert 
who should be able to view/edit annotations, where would I call authorize
and what would I do with the returned value? Apologies if this is obvious.



		.annotator('setupPlugins', {}, {
			Auth: {
				token: '<%= @jwt %>'
			Store: {
				// prefix: 'http://annotations.mit.edu/api',
				prefix: 'http://localhost:5000/api',
			Filter: false,
			Markdown: true,
			Permissions: false

	var studio = $('#textcontent').annotator().data('annotator');

	studio.addPlugin('Permissions', {
	  user: {
	    id: '<%= current_user.id %>',
	    name:'<%= current_user.firstname %>',
	    group: 'Admin'

	  // Either current_user or the group admin can perform actions on these annotations.
	  permissions: {
	    'read':   ['<%= current_user.id %>', 'group:Admin'],
	    'update': ['<%= current_user.id %>', 'group:Admin'],
	    'delete': ['<%= current_user.id %>', 'group:Admin'],
	    'admin':  ['<%= current_user.id %>', 'group:Admin']

	  userAuthorize: function (user, token) {
	    // If the token is our admin token and the user
	    // is in the admin group then authorise.
	    if (token === 'group:Admin' && user.group === 'Admin') {
	      return true;

	    // If it's not an admin token check the id.
	    return user.id === token;

	studio.plugins.Permissions.authorize({ id: '<%= current_user.id %>', group: 'Admin' },  'group:Admin');

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1583 bytes
Desc: not available
URL: <http://lists.okfn.org/pipermail/annotator-dev/attachments/20120829/54892ed1/attachment-0004.bin>

More information about the annotator-dev mailing list