/
main.polar
133 lines (107 loc) · 4.3 KB
/
main.polar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
actor User { }
resource Organization {
roles = ["admin", "member"];
"member" if "admin";
}
resource Folder {
permissions = ["read", "write"];
roles = ["reader", "writer"];
relations = {
folder: Folder,
organization: Organization,
owner: User
};
"writer" if "owner";
role if role on "folder";
"writer" if "admin" on "organization";
"read" if "write";
"read" if "reader";
"write" if "writer";
}
resource File {
permissions = ["read", "write"];
roles = ["reader", "writer"];
relations = {
folder: Folder,
owner: User
};
"writer" if "owner";
role if role on "folder";
"read" if "write";
"read" if "reader";
"write" if "writer";
}
has_role(user: User, "reader", folder: Folder) if
organization matches Organization and
is_readable_by_org(folder) and
has_role(user, "member", organization);
has_role(user: User, "reader", file: File) if
organization matches Organization and
is_readable_by_org(file) and
has_role(user, "member", organization);
has_role(user: User, "reader", file: File) if
organization matches Organization and
folder matches Folder and
is_readable_by_org(folder) and
has_relation(file, "folder", folder) and
has_role(user, "member", organization);
has_permission(_user: User, "read", file: File) if
is_public(file);
test "can write folder and contents if file owner" {
setup {
has_relation(File{"tps-reports/tps-report-1999.txt"}, "owner", User{"Peter"});
}
assert allow(User{"Peter"}, "write", File{"tps-reports/tps-report-1999.txt"});
assert_not allow(User{"Michael"}, "write", File{"tps-reports/tps-report-1999.txt"});
}
test "can write folder and contents if folder owner" {
setup {
has_relation(Folder{"tps-reports"}, "owner", User{"Bill"});
has_relation(File{"tps-reports/tps-report-1999.txt"}, "folder", Folder{"tps-reports"});
has_relation(File{"payroll/office-expenses.txt"}, "folder", Folder{"payroll"});
}
assert allow(User{"Bill"}, "write", File{"tps-reports/tps-report-1999.txt"});
assert allow(User{"Bill"}, "write", Folder{"tps-reports"});
assert_not allow(User{"Peter"}, "write", Folder{"tps-reports"});
}
test "can read folder if member of org and folder is readable by org" {
setup {
has_role(User{"Samir"}, "member", Organization{"Initech"});
has_relation(Folder{"tps-reports"}, "organization", Organization{"Initech"});
has_relation(Folder{"payroll"}, "organization", Organization{"Initech"});
is_readable_by_org(Folder{"tps-reports"});
}
assert allow(User{"Samir"}, "read", Folder{"tps-reports"});
assert_not allow(User{"Samir"}, "read", Folder{"payroll"});
}
test "can read file if member of org and folder is readable by org" {
setup {
has_role(User{"Samir"}, "member", Organization{"Initech"});
has_relation(Folder{"tps-reports"}, "organization", Organization{"Initech"});
has_relation(Folder{"payroll"}, "organization", Organization{"Initech"});
is_readable_by_org(Folder{"tps-reports"});
has_relation(File{"tps-reports/tps-report-1999.txt"}, "folder", Folder{"tps-reports"});
has_relation(File{"payroll/office-expenses.txt"}, "folder", Folder{"payroll"});
}
assert allow(User{"Samir"}, "read", File{"tps-reports/tps-report-1999.txt"});
assert_not allow(User{"Samir"}, "read", File{"payroll/office-expenses.txt"});
}
test "can read public file" {
setup {
is_public(File{"test.txt"});
}
assert allow(User{"Samir"}, "read", File{"test.txt"});
assert_not allow(User{"Samir"}, "read", File{"text2.txt"});
assert_not allow(User{"Samir"}, "write", File{"text.txt"});
}
test "roles on folders bubble down to files in subfolders" {
setup {
has_role(User{"Samir"}, "reader", Folder{"tps-reports"});
has_relation(Folder{"tps-reports/1999"}, "folder", Folder{"tps-reports"});
has_relation(File{"tps-reports/1999/peter.txt"}, "folder", Folder{"tps-reports/1999"});
}
assert allow(User{"Samir"}, "read", Folder{"tps-reports"});
assert allow(User{"Samir"}, "read", Folder{"tps-reports/1999"});
assert allow(User{"Samir"}, "read", File{"tps-reports/1999/peter.txt"});
assert_not allow(User{"Samir"}, "read", Folder{"payroll"});
}