-
Notifications
You must be signed in to change notification settings - Fork 2
/
authorizer.go
40 lines (34 loc) · 1.46 KB
/
authorizer.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
package relationship
import (
"context"
"github.com/sourcenetwork/sourcehub/x/acp/auth_engine"
"github.com/sourcenetwork/sourcehub/x/acp/types"
)
func NewRelationshipAuthorizer(engine auth_engine.AuthEngine) *RelationshipAuthorizer {
return &RelationshipAuthorizer{
engine: engine,
}
}
// RelationshipAuthorizer acts as an Authorization Request engine
// which validates whether a Relationship can be set or deleted by an Actor.
//
// The Permission evaluation is done through a Check call using the auxiliary permissions
// auto generated by the ACP module and attached to a permission.
//
// For instance, take the Relationship (obj:foo, reader, steve) being submitted by Actor Bob.
// Bob is allowed to Create that relationship if and only if:
// Bob has the permission _can_manage_reader for "obj:foo".
type RelationshipAuthorizer struct {
engine auth_engine.AuthEngine
}
// IsAuthorized validates whether actor is a manager for the given relationship.
//
// A given Relationship is only valid if for the Relationship's Object and Relation
// the Actor has an associated permission to manage the Object, Relation pair.
func (a *RelationshipAuthorizer) IsAuthorized(ctx context.Context, policy *types.Policy, relationship *types.Relationship, actor *types.Actor) (bool, error) {
authRequest := &types.Operation{
Object: relationship.Object,
Permission: policy.GetManagementPermissionName(relationship.Relation),
}
return a.engine.Check(ctx, policy, authRequest, actor)
}