authz

package
v1.22.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 1, 2026 License: MIT Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Authorizer

type Authorizer struct {
	// contains filtered or unexported fields
}

func New added in v1.18.0

func New(db storage.DBTX) Authorizer

func (Authorizer) Authorize

func (a Authorizer) Authorize(ctx context.Context, orgID uuid.UUID, ancestor uuid.UUID, objects []uuid.UUID) error

Authorize reports whether the caller in ctx may write objects in orgID. It returns nil when allowed and a PermissionDenied status otherwise; it never returns InvalidArgument. Writing the organization resource (an object equal to orgID) is owner-only and must be the sole object in the batch; a batch that mixes the org resource with other objects is denied here as defense-in-depth. The handler validates batch shape first and surfaces that case as InvalidArgument, so in normal operation a mixed batch never reaches this deny path. A non-owner caller is allowed when it holds a relationships-admin grant on the ancestor, or on every object in the batch.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL