Documentation
¶
Overview ¶
Package role provides domain entities for role-based access control. Roles define what actions users can perform (permissions). Users can have multiple roles, and permissions are the union of all roles.
Index ¶
- Variables
- type ID
- type Module
- type Permission
- type PermissionRepository
- type Repository
- type Role
- func (r *Role) AddPermission(permission string) error
- func (r *Role) CreatedAt() time.Time
- func (r *Role) CreatedBy() *ID
- func (r *Role) Description() string
- func (r *Role) HasFullDataAccess() bool
- func (r *Role) HasPermission(permission string) bool
- func (r *Role) HierarchyLevel() int
- func (r *Role) ID() ID
- func (r *Role) IsCustom() bool
- func (r *Role) IsSystem() bool
- func (r *Role) Name() string
- func (r *Role) PermissionCount() int
- func (r *Role) Permissions() []string
- func (r *Role) RemovePermission(permission string) error
- func (r *Role) SetPermissions(permissions []string) error
- func (r *Role) Slug() string
- func (r *Role) TenantID() *ID
- func (r *Role) Update(name, description string, hierarchyLevel int, hasFullDataAccess bool) error
- func (r *Role) UpdatedAt() time.Time
- type UserRole
Constants ¶
This section is empty.
Variables ¶
View Source
var ( OwnerRoleID = MustParseID("00000000-0000-0000-0000-000000000001") AdminRoleID = MustParseID("00000000-0000-0000-0000-000000000002") MemberRoleID = MustParseID("00000000-0000-0000-0000-000000000003") ViewerRoleID = MustParseID("00000000-0000-0000-0000-000000000004") )
System role IDs (fixed UUIDs for system roles).
View Source
var ( ErrRoleNotFound = errors.New("role not found") ErrCannotModifySystemRole = errors.New("cannot modify system role") ErrCannotDeleteSystemRole = errors.New("cannot delete system role") ErrRoleSlugExists = errors.New("role with this slug already exists") ErrRoleInUse = errors.New("role is assigned to users and cannot be deleted") ErrInvalidPermission = errors.New("invalid permission") ErrUserRoleNotFound = errors.New("user role not found") ErrUserRoleExists = errors.New("user already has this role") )
Errors
Functions ¶
This section is empty.
Types ¶
type ID ¶
ID represents a unique role identifier.
func MustParseID ¶
MustParseID parses a string to a role ID, panics on error.
type Module ¶
type Module struct {
ID string
Name string
Description string
Icon string
DisplayOrder int
IsActive bool
Permissions []*Permission
}
Module represents a feature grouping for permissions.
type Permission ¶
type Permission struct {
ID string // e.g., "assets:read"
ModuleID string
Name string
Description string
IsActive bool
}
Permission represents a granular permission.
type PermissionRepository ¶
type PermissionRepository interface {
// ListModulesWithPermissions returns all modules with their permissions.
ListModulesWithPermissions(ctx context.Context) ([]*Module, error)
// ListPermissions returns all permissions.
ListPermissions(ctx context.Context) ([]*Permission, error)
// GetByID retrieves a permission by its ID.
GetByID(ctx context.Context, id string) (*Permission, error)
// Exists checks if a permission exists.
Exists(ctx context.Context, id string) (bool, error)
// ValidatePermissions validates multiple permissions.
// Returns (valid, invalidIDs, error).
ValidatePermissions(ctx context.Context, ids []string) (bool, []string, error)
}
PermissionRepository defines the interface for permission persistence operations.
type Repository ¶
type Repository interface {
// Create creates a new role.
Create(ctx context.Context, role *Role) error
// GetByID retrieves a role by its ID.
GetByID(ctx context.Context, id ID) (*Role, error)
// GetBySlug retrieves a role by slug within a tenant or system.
// For system roles, tenantID should be nil.
GetBySlug(ctx context.Context, tenantID *ID, slug string) (*Role, error)
// ListForTenant returns all roles available for a tenant.
// Includes both system roles and tenant's custom roles.
ListForTenant(ctx context.Context, tenantID ID) ([]*Role, error)
// ListSystemRoles returns only system roles.
ListSystemRoles(ctx context.Context) ([]*Role, error)
// Update updates a role (only custom roles can be updated).
Update(ctx context.Context, role *Role) error
// Delete deletes a role (only custom roles can be deleted).
Delete(ctx context.Context, id ID) error
// GetUserRoles returns all roles for a user in a tenant.
GetUserRoles(ctx context.Context, tenantID, userID ID) ([]*Role, error)
// GetUserPermissions returns all permissions for a user (UNION of all roles).
GetUserPermissions(ctx context.Context, tenantID, userID ID) ([]string, error)
// HasFullDataAccess checks if user has full data access (any role with has_full_data_access=true).
HasFullDataAccess(ctx context.Context, tenantID, userID ID) (bool, error)
// AssignRole assigns a role to a user (adds to user's roles).
AssignRole(ctx context.Context, tenantID, userID, roleID ID, assignedBy *ID) error
// RemoveRole removes a role from a user.
RemoveRole(ctx context.Context, tenantID, userID, roleID ID) error
// SetUserRoles replaces all roles for a user.
SetUserRoles(ctx context.Context, tenantID, userID ID, roleIDs []ID, assignedBy *ID) error
// BulkAssignRoleToUsers assigns a role to multiple users at once.
BulkAssignRoleToUsers(ctx context.Context, tenantID, roleID ID, userIDs []ID, assignedBy *ID) error
// ListRoleMembers returns all users who have a specific role in a tenant.
ListRoleMembers(ctx context.Context, tenantID, roleID ID) ([]*UserRole, error)
// CountUsersWithRole returns the count of users with a specific role.
CountUsersWithRole(ctx context.Context, roleID ID) (int, error)
}
Repository defines the interface for role persistence operations.
type Role ¶
type Role struct {
// contains filtered or unexported fields
}
Role represents a role entity that defines a set of permissions.
func New ¶
func New( tenantID ID, slug string, name string, description string, hierarchyLevel int, hasFullDataAccess bool, permissions []string, createdBy ID, ) *Role
New creates a new custom role for a tenant.
func Reconstruct ¶
func Reconstruct( id ID, tenantID *ID, slug string, name string, description string, isSystem bool, hierarchyLevel int, hasFullDataAccess bool, permissions []string, createdAt time.Time, updatedAt time.Time, createdBy *ID, ) *Role
Reconstruct creates a role from persistence data.
func (*Role) AddPermission ¶
AddPermission adds a permission to the role.
func (*Role) Description ¶
Description returns the role description.
func (*Role) HasFullDataAccess ¶
HasFullDataAccess returns true if users with this role can see all data.
func (*Role) HasPermission ¶
HasPermission checks if the role has a specific permission.
func (*Role) HierarchyLevel ¶
HierarchyLevel returns the hierarchy level.
func (*Role) PermissionCount ¶
PermissionCount returns the number of permissions.
func (*Role) Permissions ¶
Permissions returns the list of permission IDs.
func (*Role) RemovePermission ¶
RemovePermission removes a permission from the role.
func (*Role) SetPermissions ¶
SetPermissions replaces the role's permissions.
type UserRole ¶
type UserRole struct {
ID ID
UserID ID
TenantID ID
RoleID ID
Role *Role // Populated when fetching with role details
AssignedAt time.Time
AssignedBy *ID
// User details (populated from JOIN when fetching members)
UserName string
UserEmail string
UserAvatarURL string
}
UserRole represents a role assigned to a user.
func NewUserRole ¶
NewUserRole creates a new user role assignment.
Source Files
Click to show internal directories.
Click to hide internal directories.