Savory's Authorization Service

When used with the authentication service, this service lets you secure your site by allowing only authorized users to access certain resources or perform certain operations.

Refer to the Savory.Authorization API documentation for more details.

Entities and Inheritence

Permissions are associated with "entities," which could be either inidividual users (from the authentication service), or groups, which are here stores in a simple MongoDB collection.

Each entity can inherit permissions from any number of other entities, in order. The common use case is for a user to "belong" to a few groups, and inherit their permissions. This lets you centrally manage permissions for large groups of users, and easily change a user's permission profile by changing their groups. Entities can inherit from other entities, and so on.

Permissions will be overriden by the inheritor: for example, if you specifically grant a user permission to edit a certain page, they will have this permission even if the group they inherit from specifically forbids it. The order of inheritence also allows for overriding.

Cascading Permissions

The common practice is to name permissions using a hierarchical dot notation, with each level of depth corresponding to moving into a specific section, resource or operation in your application. In some cases, it may make sense to treat a permission as if it covers all sub-permissions in a hierarchy. Here we call this "cascading permissions."

TODO