nova_auth_policy (nova_auth v0.2.0)

View Source

Policy helpers for nova_resource authorization. Returns policy maps with condition functions that can be evaluated against an actor and context.

Summary

Functions

Allow any authenticated (non-undefined) actor.

Allow actors who have a specific claim value. Works with both single-valued and list-valued claims (e.g., Authentik groups mapped to roles).

Allow actors who own the record (actor id matches the owner field).

Allow actors whose role field matches one of the given roles.

Deny all actors unconditionally.

Types

policy()

-type policy() :: #{action := atom(), condition := fun()}.

Functions

allow_authenticated()

-spec allow_authenticated() -> policy().

Allow any authenticated (non-undefined) actor.

allow_claim/2

-spec allow_claim(atom(), term() | [term()]) -> policy().

Allow actors who have a specific claim value. Works with both single-valued and list-valued claims (e.g., Authentik groups mapped to roles).

allow_claim(roles, admin)
allow_claim(roles, [admin, editor])

allow_owner(OwnerField)

-spec allow_owner(atom()) -> policy().

Allow actors who own the record (actor id matches the owner field).

allow_role/1

-spec allow_role(atom() | [atom()]) -> policy().

Allow actors whose role field matches one of the given roles.

deny_all()

-spec deny_all() -> policy().

Deny all actors unconditionally.