access_decision_manager v0.2.1 AccessDecisionManager
Inspired by Symfony’s Access Decision Manager, security “voters” are a granular way of checking permissions (e.g. “can this specific user edit the given item?”).
For example, you may want to check if the current user (primary subject) can “DELETE_COMMENT” (attribute) a Blog (secondary subject).
Or you may simply want to check if the current user (primary subject) has “ROLE_ADMIN” (attribute).
All voters are called each time you use the granted?()
function.
AccessDecisionManager then takes the responses from all voters and makes
the final decision (to allow or deny access to the resource) according
to the strategy defined.
There are three “strategies”:
:strategy_affirmative
(default)
This grants access as soon as there is one voter granting access.
:strategy_consensus
This grants access if there are more voters granting access than denying.
:strategy_unanimous
This only grants access if there is no voter denying access.
If all voters abstained from voting, the decision is based on the
allow_if_all_abstain
config option (which defaults to false).
The default (and only currently supported strategy) is
:strategy_affirmative
. Support for:strategy_unanimous
and:strategy_consensus
are TBD.
Link to this section Summary
Functions
Checks if the attribute
is granted against the subject
Checks if the primary_subject
is granted attribute
against the secondary_subject
Link to this section Functions
granted?(subject :: struct(), attribute :: String.t()) :: true | false
Checks if the attribute
is granted against the subject
.
Example: %User{}
(subject) is granted ROLE_ADMIN
(attribute)
granted?(primary_subject :: struct(), attribute :: String.t(), secondary_subject :: struct()) :: true | false
Checks if the primary_subject
is granted attribute
against the secondary_subject
.
Example: %User{}
(primary subject) is granted DELETE_COMMENTS
(attribute) on %Blog{}
(secondary subject)