Add /api/admin authorization

[puckey]

I noticed that the /api/admin/dummies endpoints were not protected with the same authentication as the admin panel.

Perhaps there is a better way to do this, but adding authorize = ctx => ctx.isAuthenticated() to the /api/admin/dummies controller does the trick.

[lehni]

The dito way is something like this:

authorize = 'admin', with 'admin' being a role that the user is matched against. The user can define a method $hasRole() for this purpose. The default checks an optional roles array property. I think we should use this in the example app.

[lehni]

There is some documentation about this in the comments of processAuthorize():

          // Support 3 scenarios:
          // - '$self': The requested member is checked against `ctx.state.user`
          //   and the action is only authorized if it matches the member.
          // - '$owner': The member is asked if it is owned by `ctx.state.user`
          //   through the optional `Model.$hasOwner()` method.
          // - any string:  `ctx.state.user` is checked for this role through
          //   the overridable `UserModel.hasRole()` method.

[lehni]

You can also check against multiple roles by providing an array: authorize = ['admin', 'superuser'] And you can provide a function that returns a string or array to check roles against. Lots of possibilities :)

[lehni]

authorize can be set on a per controller and per action level

[puckey]

Okay, so this entails adding a roles property to the User model's properties. If this is the Dito way, would it be an idea to have a roles property in the User model by default with options for admin and editor for example?

[puckey]

I added user roles to this PR here: b03ebdb

[puckey]

I guess a next step would be to allow editing / creating users when you have the 'admin' role and editing yourself when you have the 'editor' role