add manage user permission

src/accesscontrol.js

@@ -1,10 +1,12 @@
 'use strict';
 
 exports = module.exports = {
-    ROLE_ADMIN: 'admin',
+    PERMISSION_ADMIN: 'admin', // not a real permission, but a role
+    PERMISSION_MANAGE_USERS: 'manange_users',
 
     verifyToken: verifyToken,
-    hasRole: hasRole
+    hasPermission: hasPermission,
+    validatePermissions: validatePermissions
 };
 
 var assert = require('assert'),
@@ -12,13 +14,26 @@ var assert = require('assert'),
     tokendb = require('./tokendb.js'),
     users = require('./users.js');
 
-function hasRole(user, requiredRole) {
+function hasPermission(user, requiredPermission) {
     assert.strictEqual(typeof user, 'object');
-    assert.strictEqual(typeof requiredRole, 'string');
+    assert.strictEqual(typeof requiredPermission, 'string');
 
-    if (requiredRole === exports.ROLE_ADMIN && user.admin) return null;
+    if (user.admin) return null;
+    if (user.permissions && user.permissions.includes(requiredPermission)) return null;
 
-    return new BoxError(BoxError.ACCESS_DENIED, 'Not allowed');
+    return new BoxError(BoxError.ACCESS_DENIED, 'Not permitted');
+}
+
+function validatePermissions(permissions) {
+    assert(permissions === null || Array.isArray(permissions));
+
+    if (permissions === null || permissions.length === 0) return null;
+    if (permissions.length === 1 && permissions[0] === exports.PERMISSION_MANAGE_USERS) return null;
+
+    // here for completeness
+    if (permissions.includes(exports.PERMISSSION_ADMIN)) return new BoxError(BoxError.BAD_FIELD, 'admin is not a permission');
+
+    return new BoxError(BoxError.BAD_FIELD, 'Invalid permissions');
 }
 
 function verifyToken(accessToken, callback) {