blog_simple

command
v0.0.0-...-d2c4f05 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 29, 2018 License: MIT Imports: 7 Imported by: 0

README

Simple Blog Example

This example shows how one can use rbac to manage permissions for a simple blog application. The application requires the following roles and permissions:

  • The Guest role can view and rate any article.
  • The Admin role can create, read, edit, delete, and rate any article.
Role Create Article Read Article Edit Article Delete Article Rate Article
Guest - Allow - - Allow
Admin Allow Allow Allow Allow Allow

Creating the Roles

The roles.go file shows how one can implement this permission set.

Admin Role

Since the Admin role is allowed to do any action (CreateArticle, ReadArticle, EditArticle, DeleteArticle, and RateArticle), on any target (e.g. on any article), we can define that role's permissions in the following way:

func NewAdminRole() rbac.Role {
        return rbac.Role{
                RoleID: "Admin",
                Permissions: []rbac.Permission{
                        rbac.NewGlobPermission("*", "*"),
                },
        }
}

The rbac.NewGlobPermission function takes two arguments: actionPattern and targetPattern. Then, it creates a permission that will return true if the requested action matches actionPattern, and if the requested target matches targetPattern. Since *is a wildcard in glob matching, we've created a permission that will return true for any action on any target. To put it more simply: this permission allows the Admin role to do anything.

admin := NewAdminRole()

// rbac.NewGlobPermission("*", "*") will cause this to return true since
// the "ReadArticle" action glob matches the "*" actionPattern in the permission
// and the "article_id" target glob matches the "*" targetPattern in the permission. 
admin.Can("ReadArticle", "article_id")

// rbac.NewGlobPermission("*", "*") will cause this to return true since
// the "DeleteArticle" action glob matches the "*" actionPattern in the permission
// and the "article_id" target glob matches the "*" targetPattern in the permission. 
admin.Can("DeleteArticle", "article_id")
Guest Role

Since the Guest role is only allowed to do the ReadArticle and RateArticle actions on any target (e.g. on any article), we can define that role's permissions in the following way:

ffunc NewGuestRole() rbac.Role {
        return rbac.Role{
                RoleID: "Guest",
                Permissions: []rbac.Permission{
                        rbac.NewGlobPermission("ReadArticle", "*"),
                        rbac.NewGlobPermission("RateArticle", "*"),
                },
        }
}

The first permission we define, rbac.NewGlobPermission("ReadArticle", "*"), allows the role to perform the "ReadArticle" action on * (any) target. To put it more simply: this permission allows the Guest role to read any article.

The second permission we define, rbac.NewGlobPermission("RateArticle", "*"), allows the role to perform the "RateArticle" action on * (any) target. To put it more simply: this permission allows the Guest role to rate any article.

guest := NewGuestRole()

// rbac.NewGlobPermission("ReadArticle", "*") will cause this to return true since
// the "ReadArticle" action glob matches the "ReadArticle" actionPattern in the permission
// and the "article_id" target glob matches the "*" targetPattern in the permission. 
guest.Can("ReadArticle", "article_id") 

// this will return false beacause the guest role has no permissions 
// that match the "DeleteArticle" action
guest.Can("DeleteArticle", "article_id") 

Try It Out

You can run this program yourself to view the permission with the following commands:

$ go run *.go
Role: Guest
Action              ArticleID           Allowed
-----------------------------------------------
CreateArticle       -                   false
ReadArticle         a1                  true
EditArticle         a1                  false
DeleteArticle       a1                  false
RateArticle         a1                  true
$ go run *.go -role=admin
Role: Admin
Action              ArticleID           Allowed
-----------------------------------------------
CreateArticle       -                   true
ReadArticle         a1                  true
EditArticle         a1                  true
DeleteArticle       a1                  true
RateArticle         a1                  true

Documentation

The Go Gopher

There is no documentation for this package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL