authz

package
v1.0.0-rc.19-i18nfix.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2026 License: AGPL-3.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source
const (
	EffectAllow = "allow"
	EffectDeny  = "deny"
)
View Source
const (
	ResourceChannel = "channel"

	ActionRead           = "read"
	ActionOperate        = "operate"
	ActionWrite          = "write"
	ActionSensitiveWrite = "sensitive_write"
	ActionSecretView     = "secret_view"
)
View Source
const (
	BuiltInRoleRoot  = "root"
	BuiltInRoleAdmin = "admin"
)

Variables

View Source
var (
	ChannelRead           = Permission{Resource: ResourceChannel, Action: ActionRead}
	ChannelOperate        = Permission{Resource: ResourceChannel, Action: ActionOperate}
	ChannelWrite          = Permission{Resource: ResourceChannel, Action: ActionWrite}
	ChannelSensitiveWrite = Permission{Resource: ResourceChannel, Action: ActionSensitiveWrite}
	ChannelSecretView     = Permission{Resource: ResourceChannel, Action: ActionSecretView}
)

Functions

func Can

func Can(userID int, systemRole int, permission Permission) bool

Can reports whether the subject may perform the permission. A superuser role short-circuits to allow. Otherwise a per-user override wins, then the union of the subject's role baselines applies.

func ClearUserAuthorization

func ClearUserAuthorization(userID int) error

func ClearUserAuthorizationInTx

func ClearUserAuthorizationInTx(tx *gorm.DB, userID int) error

func ClearUserPermissions

func ClearUserPermissions(userID int) error

func ClearUserPermissionsInTx

func ClearUserPermissionsInTx(tx *gorm.DB, userID int) error

func Init

func Init(db *gorm.DB) error

func RegisterResource

func RegisterResource(resource ResourceDefinition)

RegisterResource adds a resource definition to the permission registry.

func ReloadPolicy

func ReloadPolicy() error

func RoleSubject

func RoleSubject(roleKey string) string

RoleSubject is the casbin subject string for a role.

func SetUserPermissions

func SetUserPermissions(userID int, permissions PermissionsMap) error

func SetUserPermissionsInTx

func SetUserPermissionsInTx(tx *gorm.DB, userID int, permissions PermissionsMap) error

func StartPolicySync

func StartPolicySync(frequency int)

StartPolicySync periodically reloads the authorization policy from the database. The enforcer keeps an in-memory snapshot, and permission changes are written straight to the DB (see SetUserPermissionsInTx) with only the local node's snapshot refreshed afterwards. Without this loop other instances in a multi-node deployment would keep serving stale permissions (including not honoring a revoked grant) until restart. Mirrors model.SyncOptions polling.

func UserSubject

func UserSubject(userID int) string

UserSubject is the casbin subject string for a single user.

Types

type ActionDefinition

type ActionDefinition struct {
	Action         string   `json:"action"`
	LabelKey       string   `json:"label_key"`
	DescriptionKey string   `json:"description_key"`
	DefaultRoles   []string `json:"-"`
}

ActionDefinition describes a single action exposed by a resource. DefaultRoles lists the role keys that receive this action as part of their baseline grants.

type Permission

type Permission struct {
	Resource string
	Action   string
}

Permission identifies a single action on a resource.

func AllPermissions

func AllPermissions() []Permission

AllPermissions returns every registered permission.

func PermissionsForRole

func PermissionsForRole(roleKey string) []Permission

PermissionsForRole returns the permissions whose DefaultRoles include roleKey.

type PermissionsMap

type PermissionsMap map[string]map[string]bool

PermissionsMap is a resource -> action -> allowed lookup.

func Capabilities

func Capabilities(userID int, systemRole int) PermissionsMap

Capabilities returns the full resource/action matrix the subject is allowed.

func ExplicitUserOverrides

func ExplicitUserOverrides(userID int) PermissionsMap

ExplicitUserOverrides returns only the per-user override entries.

func ExplicitUserPermissions

func ExplicitUserPermissions(userID int) PermissionsMap

ExplicitUserPermissions returns the effective permission matrix for the managed role plus any per-user overrides.

type ResourceDefinition

type ResourceDefinition struct {
	Resource string             `json:"resource"`
	LabelKey string             `json:"label_key"`
	Actions  []ActionDefinition `json:"actions"`
}

ResourceDefinition describes a resource and the actions it exposes.

func Catalog

func Catalog() []ResourceDefinition

Catalog returns a copy of the registered resource definitions.

type RoleDescriptor

type RoleDescriptor struct {
	Key       string         `json:"key"`
	Name      string         `json:"name"`
	BuiltIn   bool           `json:"built_in"`
	Superuser bool           `json:"superuser"`
	Grants    PermissionsMap `json:"grants"`
}

RoleDescriptor exposes a role together with its baseline grant matrix.

func Roles

func Roles() []RoleDescriptor

Roles returns the role descriptors with their baseline grants.

type RoleSpec

type RoleSpec struct {
	Key         string
	Name        string
	Description string
	BuiltIn     bool
	Superuser   bool
	Sort        int
}

RoleSpec describes a role. A superuser role is allowed every permission without an explicit policy entry.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL