Documentation
¶
Index ¶
- func Can(ctx context.Context, permission Permission) bool
- func Middleware(policy *RolePolicy, roles func(ctx context.Context) []string) func(http.Handler) http.Handler
- func RequirePermission(permission Permission) func(http.Handler) http.Handler
- func WithPolicy(ctx context.Context, policy *RolePolicy) context.Context
- func WithRoles(ctx context.Context, roles []string) context.Context
- type Permission
- type Policy
- type RolePolicy
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Can ¶
func Can(ctx context.Context, permission Permission) bool
Can reports whether the request context carries the given permission. It reads the RolePolicy and roles installed via WithPolicy / WithRoles (by access.Middleware or battery/auth). Returns false when no policy is present — the secure-by-default answer for an un-wired request. This is the seam the CRUD layer uses to enforce EntityConfig.Access.
func Middleware ¶
func Middleware(policy *RolePolicy, roles func(ctx context.Context) []string) func(http.Handler) http.Handler
Middleware installs the RBAC policy and the request's roles into the context so downstream RequirePermission middleware and auto-CRUD permission gates (EntityConfig.Access) can resolve permissions. roles maps a request context to the caller's roles — typically by reading the authenticated user; pass nil to install only the policy (roles resolved elsewhere). Mount this once, app-wide or on a route group, ahead of any permission-gated routes.
func RequirePermission ¶
func RequirePermission(permission Permission) func(http.Handler) http.Handler
RequirePermission returns HTTP middleware that checks if the current user has the specified permission. Returns 403 if denied.
func WithPolicy ¶
func WithPolicy(ctx context.Context, policy *RolePolicy) context.Context
WithPolicy stores a RolePolicy in the context.
Types ¶
type Permission ¶
type Permission string
Permission represents an action permission string (e.g. "posts:read", "posts:write").
func GetPermissions ¶
func GetPermissions(ctx context.Context) []Permission
GetPermissions extracts the user's permissions from context by looking up the user's roles against the RolePolicy.
Returns nil if ctx is nil, missing a policy, or missing roles — never panics. A nil context is treated as an anonymous request rather than allowed to crash the handler.
type Policy ¶
type Policy interface {
Can(ctx context.Context, permission Permission) bool
}
Policy determines whether the subject in ctx holds a permission.
type RolePolicy ¶
type RolePolicy struct {
// contains filtered or unexported fields
}
RolePolicy implements Policy using role-based permission grants.
Grant and Revoke may be called concurrently with Can / GetPermissions: the underlying role→permissions map is guarded by an RWMutex so reads don't block each other and writes won't trigger Go's concurrent-map fatal.
func (*RolePolicy) Can ¶
func (rp *RolePolicy) Can(ctx context.Context, permission Permission) bool
Can checks if the user from ctx has the given permission via any of their roles.
func (*RolePolicy) Grant ¶
func (rp *RolePolicy) Grant(role string, permissions ...Permission)
Grant adds permissions to a role.
func (*RolePolicy) Revoke ¶
func (rp *RolePolicy) Revoke(role string, permissions ...Permission)
Revoke removes specific permissions from a role.
Source Files