Documentation
¶
Overview ¶
Package ash implements a highly configurable and callback based ACL that can be used to authorize controller operations in a declarative way.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
Types ¶
type Authorizer ¶
An Authorizer should inspect the specified context and asses if it is able to enforce authorization with the data that is available. If yes, the authorizer should return an Enforcer that will enforce the authorization.
func And ¶
func And(a, b Authorizer) Authorizer
And will run the callbacks and return immediately if one does not return an enforcer. Two successfully returned enforcer ar wrapped in one that executes both.
func Or ¶
func Or(a, b Authorizer) Authorizer
Or will run the first callback and return its enforcer on success. If no enforcer is returned it will run the second callback and return its result.
func (Authorizer) And ¶
func (a Authorizer) And(b Authorizer) Authorizer
And will run And() with the current and specified authorizer.
func (Authorizer) Or ¶
func (a Authorizer) Or(b Authorizer) Authorizer
Or will run Or() with the current and specified authorizer.
type Enforcer ¶
An Enforcer is returned by an Authorizer to enforce the previously inspected Authorization.
Enforcers should only return errors if the request is clearly not allowed for the presented candidate and that this information is general knowledge (e.g. API documentation). In order to prevent the leakage of implementation details the enforcer should mutate the context's Query field to hide existing data from the candidate.
func AccessDenied ¶
func AccessDenied() Enforcer
AccessDenied will enforce the authorization by directly returning an access denied error. It should be used if the request should not be authorized in any case (.e.g a candidate accessing a resource he has clearly no access to).
Note: Usually access is denied by returning no enforcer. This enforcer should only be returned to immediately stop the authorization process.
func AccessGranted ¶
func AccessGranted() Enforcer
AccessGranted will enforce the authorization without any changes to the context. It should be used if the presented candidate has full access to the data (.e.g a superuser).
func AddFilter ¶ added in v0.11.0
AddFilter will enforce the authorization by adding the passed filters to the Filter query of the context. It should be used if the candidate is allowed to access the resource in general, but some records should be filtered out.
func HideFilter ¶
func HideFilter() Enforcer
HideFilter will enforce the authorization by adding a falsy filter to the Filter query of the context, so that no records will be returned. It should be used if the requested resource should be hidden from the candidate.
type M ¶ added in v0.10.0
type M map[string][]Authorizer
M is a short-hand type to create a map of authorizers.
type Strategy ¶
type Strategy struct {
// Single operations.
List []Authorizer
Find []Authorizer
Create []Authorizer
Update []Authorizer
Delete []Authorizer
// Single action operations.
CollectionAction map[string][]Authorizer
ResourceAction map[string][]Authorizer
// All action operations.
CollectionActions []Authorizer
ResourceActions []Authorizer
// All List and Find operations.
Read []Authorizer
// All Create, Update and Delete operations.
Write []Authorizer
// All CollectionAction and ResourceAction operations.
Actions []Authorizer
// All operations.
All []Authorizer
}
Strategy contains lists of authorizers that are used to authorize the request.
Source Files