permission.go 3.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130
  1. package example_basics
  2. import (
  3. "net/http"
  4. "github.com/ory/ladon"
  5. "github.com/qor5/admin/presets"
  6. "github.com/qor5/x/perm"
  7. )
  8. func permissionPieces() {
  9. _ = []interface{}{
  10. // @snippet_begin(PermissionAllowed)
  11. perm.Allowed,
  12. // @snippet_end
  13. // @snippet_begin(PermissionDenied)
  14. perm.Denied,
  15. // @snippet_end
  16. // @snippet_begin(PermissionPermList)
  17. presets.PermList,
  18. // @snippet_end
  19. // @snippet_begin(PermissionPermGet)
  20. presets.PermGet,
  21. // @snippet_end
  22. // @snippet_begin(PermissionPermCreate)
  23. presets.PermCreate,
  24. // @snippet_end
  25. // @snippet_begin(PermissionPermUpdate)
  26. presets.PermUpdate,
  27. // @snippet_end
  28. // @snippet_begin(PermissionPermDelete)
  29. presets.PermDelete,
  30. // @snippet_end
  31. }
  32. var Who, Able, What, Something string
  33. var Context perm.Conditions
  34. // @snippet_begin(PermissionSyntax)
  35. perm.PolicyFor(Who).WhoAre(Able).ToDo(What).On(Something).Given(Context)
  36. // @snippet_end
  37. var permBuilder perm.Builder
  38. var subjects_like_user_roles []string
  39. // @snippet_begin(PermissionSubjectsFunc)
  40. permBuilder.SubjectsFunc(func(r *http.Request) []string {
  41. return subjects_like_user_roles
  42. })
  43. // @snippet_end
  44. type resource1 struct {
  45. Owner string
  46. }
  47. // @snippet_begin(PermissionContextFunc)
  48. permBuilder.ContextFunc(func(r *http.Request, objs []interface{}) perm.Context {
  49. c := make(perm.Context)
  50. for _, obj := range objs {
  51. switch v := obj.(type) {
  52. case resource1:
  53. c["owner"] = v.Owner
  54. // ...other resource cases
  55. }
  56. }
  57. return c
  58. })
  59. // @snippet_end
  60. // @snippet_begin(PermissionGivenFunc)
  61. perm.PolicyFor(Who).WhoAre(Able).ToDo(What).On("*:resource1:*").Given(perm.Conditions{
  62. "owner": &ladon.EqualsSubjectCondition{},
  63. })
  64. // @snippet_end
  65. var presetsBuilder *presets.Builder
  66. type User struct {
  67. ID string
  68. Roles []string
  69. }
  70. var getCurrentUser func(r *http.Request) *User
  71. type Article struct {
  72. OwnerID string
  73. }
  74. // @snippet_begin(PermissionExample)
  75. presetsBuilder.Permission(
  76. perm.New().Policies(
  77. // admin can do anything
  78. perm.PolicyFor("admin").WhoAre(perm.Allowed).ToDo(perm.Anything).On(perm.Anything),
  79. // viewer can view anything except users
  80. perm.PolicyFor("viewer").WhoAre(perm.Allowed).ToDo(presets.PermRead...).On(perm.Anything),
  81. perm.PolicyFor("viewer").WhoAre(perm.Denied).ToDo(perm.Anything).On("*:users:*"),
  82. // editor can edit their own articles
  83. perm.PolicyFor("editor").WhoAre(perm.Allowed).ToDo(perm.Anything).On("*:articles:*").Given(perm.Conditions{
  84. "owner_id": &ladon.EqualsSubjectCondition{},
  85. }),
  86. ).SubjectsFunc(func(r *http.Request) (ss []string) {
  87. user := getCurrentUser(r)
  88. ss = append(ss, user.ID)
  89. ss = append(ss, user.Roles...)
  90. return ss
  91. }).ContextFunc(func(r *http.Request, objs []interface{}) perm.Context {
  92. c := make(perm.Context)
  93. for _, obj := range objs {
  94. switch v := obj.(type) {
  95. case *Article:
  96. c["owner_id"] = v.OwnerID
  97. }
  98. }
  99. return c
  100. }),
  101. )
  102. // @snippet_end
  103. // @snippet_begin(PermissionVerbose)
  104. perm.Verbose = true
  105. // @snippet_end
  106. var r *http.Request
  107. var user interface{}
  108. // @snippet_begin(PermissionNewVerifier)
  109. verifier := perm.NewVerifier("module_users", presetsBuilder.GetPermission())
  110. // @snippet_end
  111. // @snippet_begin(PermissionVerifierCheck)
  112. if verifier.Do("ban").ObjectOn(user).WithReq(r).IsAllowed() == nil {
  113. // ui: show the ban button
  114. // action: can execute the ban action
  115. }
  116. // @snippet_end
  117. // @snippet_begin(PermissionAddCustomPolicy)
  118. perm.PolicyFor("super_admin").WhoAre(perm.Allowed).ToDo("ban").On(":module_users:*")
  119. // @snippet_end
  120. }