authy v0.1.1 Authy

Authy can be used to authorize user actions for resources. It has no external dependencies, so it will work in any Elixir app as a basic authorization mechanism.

See the readme for more information and examples.

For common integration patterns in Plug-based web applications, check out Authy.Controller.

Summary

Functions

Returns a boolean determining if the user’s action is authorized via the appropriate policy module for that resource

Given a data structure, determines the policy module to call for authorization checks, following the Authy convention

Scope resources based on the current user

Functions

authorized?(user, action, term, opts \\ [])

Returns a boolean determining if the user’s action is authorized via the appropriate policy module for that resource.

policy_module/1 is used to find the module, then calls can?(user, action, term) on it.

user = %MyApp.User{}
post = %MyApp.Post{}
Authy.authorized?(user, :show, post)
Authy.authorized?(user, :index, MyApp.Post)

You can explicitly specify the policy module using the :policy option:

Authy.authorized?(user, :show, post, policy: MyApp.DraftPost.Policy)
policy_module(term)

Given a data structure, determines the policy module to call for authorization checks, following the Authy convention.

Returns an atom of the policy module if passed a struct or atom, by appending “.Policy” to the module name

policy_module(MyApp.User)         # => MyApp.User.Policy
policy_module(%MyApp.User{})      # => MyApp.User.Policy

Returns :error otherwise.

policy_module("Derp") # => :error
scoped(user, action, term, opts \\ [])

Scope resources based on the current user.

For example, a regular user can only see posts they have created, but an admin can see all posts. You can define a scope/2 method on the policy module to return the appropriate scope for that user.

Any options are passed through to opts on your scope/2 method.

This examples scopes an Ecto query of posts a user can see.

# post_policy.ex
defmodule MyApp.Post.Policy
  # A user can only see their own posts, but an admin can see all posts
  def scope(user, _action, opts \ []) do
    case user.role do
      "user" -> MyApp.Post |> where(user_id: ^user.id)
      "admin" -> MyApp.Post
      _ -> {:error, :unknown_role}
    end
  end
end

# post_controller.ex
posts = Authy.scoped(current_user, MyApp.Post) |> Repo.all