nova_auth_policy (nova_auth v0.2.0)
View SourcePolicy helpers for nova_resource authorization. Returns policy maps with condition functions that can be evaluated against an actor and context.
Summary
Functions
Allow any authenticated (non-undefined) actor.
Allow actors who have a specific claim value. Works with both single-valued and list-valued claims (e.g., Authentik groups mapped to roles).
Allow actors who own the record (actor id matches the owner field).
Allow actors whose role field matches one of the given roles.
Deny all actors unconditionally.
Types
-type policy() :: #{action := atom(), condition := fun()}.
Functions
-spec allow_authenticated() -> policy().
Allow any authenticated (non-undefined) actor.
Allow actors who have a specific claim value. Works with both single-valued and list-valued claims (e.g., Authentik groups mapped to roles).
allow_claim(roles, admin)
allow_claim(roles, [admin, editor])
Allow actors who own the record (actor id matches the owner field).
Allow actors whose role field matches one of the given roles.
-spec deny_all() -> policy().
Deny all actors unconditionally.