rbac

package module
v0.0.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 20, 2026 License: MIT Imports: 4 Imported by: 0

README

tinywasm/rbac

Project Badges

RBAC implements Role-Based Access Control to manage roles and permissions.

Documentation

Usage

See docs/IMPLEMENTATION.md for integration examples and API documentation.

Testing

Run tests:

go test ./tests/...

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AssignPermission added in v0.0.2 

func AssignPermission(roleID, permID string) error

func AssignRole added in v0.0.2 

func AssignRole(userID, roleID string) error

func CreatePermission added in v0.0.2 

func CreatePermission(id, name, resource string, action byte) error

func CreateRole added in v0.0.2 

func CreateRole(id string, code byte, name, description string) error

func DeletePermission added in v0.0.2 

func DeletePermission(id string) error

func DeleteRole added in v0.0.2 

func DeleteRole(id string) error

func GetUserRoleCodes added in v0.0.2 

func GetUserRoleCodes(userID string) ([]byte, error)

func HasPermission added in v0.0.2 

func HasPermission(userID, resource string, action byte) (bool, error)

func Init added in v0.0.2 

func Init(exec Executor) error

Init initializes the package-level singleton. Safe to call multiple times; only the first call has effect (sync.Once).

func Register added in v0.0.2 

func Register(handlers ...any) error

func RevokePermission added in v0.0.2 

func RevokePermission(roleID, permID string) error

func RevokeRole added in v0.0.2 

func RevokeRole(userID, roleID string) error

func SetLog added in v0.0.2 

func SetLog(fn func(messages ...any))

SetLog configures the logger used by rbac for internal events (SQL errors, cache load events, write-through mutations). Default: no-op — rbac is silent unless SetLog is called. Call before Init().

Example: 

rbac.SetLog(func(msg ...any) { log.Println(msg...) })

Types

type Executor added in v0.0.2 

type Executor interface {
	Exec(query string, args ...any) error
	QueryRow(query string, args ...any) Scanner
	Query(query string, args ...any) (Rows, error)
}

Executor is the primary SQL dependency interface. Satisfied by *sql.DB and *sql.Tx without importing database/sql.

type Permission added in v0.0.2 

type Permission struct {
	ID       string
	Name     string
	Resource string
	Action   byte
}

func GetPermission added in v0.0.2 

func GetPermission(id string) (*Permission, error)

func ListPermissions added in v0.0.2 

func ListPermissions() ([]Permission, error)

type Role added in v0.0.2 

type Role struct {
	ID          string
	Code        byte
	Name        string
	Description string
}

func GetRole added in v0.0.2 

func GetRole(id string) (*Role, error)

func GetRoleByCode added in v0.0.2 

func GetRoleByCode(code byte) (*Role, error)

func GetUserRoles added in v0.0.2 

func GetUserRoles(userID string) ([]Role, error)

func ListRoles added in v0.0.2 

func ListRoles() ([]Role, error)

type Rows added in v0.0.2 

type Rows interface {
	Next() bool
	Scan(dest ...any) error
	Close() error
	Err() error
}

Rows is the interface for iterating multi-row results. Satisfied by *sql.Rows.

type Scanner added in v0.0.2 

type Scanner interface {
	Scan(dest ...any) error
}

Scanner is the interface for scanning a single row result. Satisfied by *sql.Row.

type Store added in v0.0.2 

type Store struct {
	// contains filtered or unexported fields
}

func New 

func New(exec Executor) (*Store, error)

New creates a new store instance, runs migration, and loads the cache. After New() returns successfully, all authorization reads are served from memory.

func (*Store) AssignPermission added in v0.0.2 

func (s *Store) AssignPermission(roleID, permID string) error

AssignPermission assigns a permission to a role.

func (*Store) AssignRole added in v0.0.2 

func (s *Store) AssignRole(userID, roleID string) error

AssignRole assigns a role to a user.

func (*Store) CreatePermission added in v0.0.2 

func (s *Store) CreatePermission(id, name, resource string, action byte) error

CreatePermission creates a new permission. Uses: INSERT INTO rbac_permissions ... ON CONFLICT (resource, action) DO NOTHING Idempotent: each domain module can register its permissions on every startup.

func (*Store) CreateRole added in v0.0.2 

func (s *Store) CreateRole(id string, code byte, name, description string) error

CreateRole creates a new role. Uses: INSERT INTO rbac_roles ... ON CONFLICT (code) DO NOTHING Idempotent: safe to call on every startup with the same code.

func (*Store) DeletePermission added in v0.0.2 

func (s *Store) DeletePermission(id string) error

DeletePermission deletes a permission by ID.

func (*Store) DeleteRole added in v0.0.2 

func (s *Store) DeleteRole(id string) error

DeleteRole deletes a role by ID.

func (*Store) GetPermission added in v0.0.2 

func (s *Store) GetPermission(id string) (*Permission, error)

GetPermission returns a permission by ID from cache.

func (*Store) GetRole added in v0.0.2 

func (s *Store) GetRole(id string) (*Role, error)

GetRole returns a role by ID from cache.

func (*Store) GetRoleByCode added in v0.0.2 

func (s *Store) GetRoleByCode(code byte) (*Role, error)

GetRoleByCode returns a role by Code from cache.

func (*Store) GetUserRoleCodes added in v0.0.2 

func (s *Store) GetUserRoleCodes(userID string) ([]byte, error)

GetUserRoleCodes returns the Code byte slice for all user roles (from cache). Returns []byte{'a', 'e'} for a user who is admin and editor. Compatible with any role-based access system that uses byte role codes.

func (*Store) GetUserRoles added in v0.0.2 

func (s *Store) GetUserRoles(userID string) ([]Role, error)

GetUserRoles returns all Role records assigned to the user (from cache).

func (*Store) HasPermission added in v0.0.2 

func (s *Store) HasPermission(userID, resource string, action byte) (bool, error)

HasPermission returns true if the user has any role that holds a permission matching {resource, action} (from cache, zero I/O).

func (*Store) ListPermissions added in v0.0.2 

func (s *Store) ListPermissions() ([]Permission, error)

ListPermissions returns all permissions from cache.

func (*Store) ListRoles added in v0.0.2 

func (s *Store) ListRoles() ([]Role, error)

ListRoles returns all roles from cache.

func (*Store) Migrate added in v0.0.2 

func (s *Store) Migrate() error

Migrate runs the schema migration.

func (*Store) Register added in v0.0.2 

func (s *Store) Register(handlers ...any) error

Register seeds permissions and role assignments into the database for each handler. Uses duck-typing — no import of crudp required. Reads HandlerName() as the resource name, AllowedRoles(action) as the role codes authorized. Handlers not implementing both interfaces are silently skipped.

Permission name format: "resource:action" (e.g. "invoice:r") — readable in admin UIs.

All operations are idempotent:

  • CreatePermission uses ON CONFLICT (resource, action) DO NOTHING
  • AssignPermission uses ON CONFLICT DO NOTHING

Must be called after Init() and after roles are created (CreateRole / seeding). Generates permission IDs internally via unixid.New().

func (*Store) RevokePermission added in v0.0.2 

func (s *Store) RevokePermission(roleID, permID string) error

RevokePermission revokes a permission from a role.

func (*Store) RevokeRole added in v0.0.2 

func (s *Store) RevokeRole(userID, roleID string) error

RevokeRole revokes a role from a user.

func (*Store) SetLog added in v0.0.2 

func (s *Store) SetLog(fn func(messages ...any))

Instance variant for pure DI usage (no global state).

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.