Multilevel permissions
abrykajlo opened this issue · 1 comments
I am working on a API that involves interacting with models in a database. Users have either guest owner or admin roles on the data and have create, read, update and delete permissions on the data. Each of those is different for each model and each model only allows access to specific fields.
Example:
user model has full CRUD but only certain fields can be directly manipulated by owners and there are only read permissions on some minimal values for guest. How would I go about using gorbac for my use case?
Usually, the role is used for classifying users, witch means the role Admin is a group of people who has right to do something similar. If you need more fine-grained permission controls, you should use the 3rd argument (i.e. assert function) of the function IsGranted. You can check the ownership in that function, like if the ids are match, or it's the right time for the operation, etc..
And I can give you a brief here:
if rbac.IsGranted(name, permission,
func (name string, permission string, r *RBAC) bool {
// Operating time is between 9am to 12pm
if time.Now().Hour() < 9 {return false}
// and owner matched
return article.Owner == user.Id }) {
}
And I strongly suggest using a closure function factory.
e.g.
func AssertFactory(a Article, u User) rbac.AssertFunction {
return func (name string, permission string, r *RBAC) bool {
// Operating time is between 9am to 12pm
if time.Now().Hour() < 9 {return false}
// and owner matched
return article.Owner == User.Id
}
}
if rbac.IsGranted(name, permission, AssertFactory(article, user)) {
}