access_decision_manager v0.2.1 AccessDecisionManager

Inspired by Symfony’s Access Decision Manager, security “voters” are a granular way of checking permissions (e.g. “can this specific user edit the given item?”).

For example, you may want to check if the current user (primary subject) can “DELETE_COMMENT” (attribute) a Blog (secondary subject).

Or you may simply want to check if the current user (primary subject) has “ROLE_ADMIN” (attribute).

All voters are called each time you use the granted?() function.  AccessDecisionManager then takes the responses from all voters and makes the final decision (to allow or deny access to the resource) according to the strategy defined.

There are three “strategies”:

:strategy_affirmative (default) This grants access as soon as there is one voter granting access.

:strategy_consensus This grants access if there are more voters granting access than denying.

:strategy_unanimous This only grants access if there is no voter denying access. If all voters abstained from voting, the decision is based on the allow_if_all_abstain config option (which defaults to false).

The default (and only currently supported strategy) is :strategy_affirmative. Support for :strategy_unanimous and :strategy_consensus are TBD.

Link to this section Summary

Functions

Checks if the attribute is granted against the subject

Checks if the primary_subject is granted attribute against the secondary_subject

Link to this section Functions

Link to this function granted?(subject, attribute)
granted?(subject :: struct(), attribute :: String.t()) :: true | false

Checks if the attribute is granted against the subject.

Example: %User{} (subject) is granted ROLE_ADMIN (attribute)

Link to this function granted?(primary_subject, attribute, secondary_subject)
granted?(primary_subject :: struct(), attribute :: String.t(), secondary_subject :: struct()) ::
  true |
  false

Checks if the primary_subject is granted attribute against the secondary_subject.

Example: %User{} (primary subject) is granted DELETE_COMMENTS (attribute) on %Blog{} (secondary subject)