acl: add simple role-based ACL plugin

[goto-bus-stop]

Works a bit like:

uw.acl.createRole('moderator', [
  'waitlist.add',
  'waitlist.remove'
]);

uw.acl.createRole('manager', [
  'moderator',
  'waitlist.clear'
]);

uw.acl.allow(user, ['manager']);

user.can('waitlist.add') == true;

Needs a few more functions:

• deleting roles
• user.(dis)allow method that calls uw.acl.(dis)allow

And perhaps should also just put ACL roles in the main user model instead of a separate AclUser model.

[fawaf]

ohh, very nice.

[goto-bus-stop]

Thing to think about: what happens when you user.disallow() a role that has not been allowed directly, but is a subrole of the user's role? currently this means the disallow() call would be a no-op.

At least two ways to solve:

• When disallow() is called with a "subrole", remove the parent role and add its other subroles. Upside: simple; downside: when the parent role is updated, changes aren't automatically propagated to this user anymore.
• Add a way to specify "exclusion roles", roles that will be ignored when checking if the user is allowed to do something. eg roles: ['user'], exclude: ['waitlist.join'] would return false for user.can('waitlist.join'). Upside: propagates updates as expected; downside: more complex

[goto-bus-stop]

Thing to think about: what happens when you user.disallow() a role that has not been allowed directly, but is a subrole of the user's role? currently this means the disallow() call would be a no-op.

I think i'll just ignore this case. A client UI can restrict what can be removed from a user, and only allow removing roles that had been assigned directly. Host should create a new role instead if they want to remove one permission from a user but keep the rest.

[goto-bus-stop]

now just need to make tests work on travis 👀 👀

[goto-bus-stop]

o, that did it 🎉