var express = require('express');
var app = express();


// middleware que obtiene los roles del usuario actual

app.use(function (req, res, next){

  if(req.query.admin){
    req.role = "admin";
  }else{
    req.role = "anon";
  };

  next();
});

function restrict (roles){

  return function (req, res, next){
    if(roles.indexOf(req.role) === -1 ){
      res.sendStatus(403);
    }else{
      next();
    }    
  };

};

app.get('/', restrict(['anon', 'admin']), function (req, res) {
  res.send('Hola');
});

app.get('/secreto', restrict(['admin']), function (req, res) {
  res.send('Mundo');
});

app.listen(3000);