View Source Rolex.DSL (Rolex v0.5.2)
Implements a small domain-specific language ("DSL") for scoping permissions.
The DSL is defined by a handful of keyword options:
:role
- a plain atom naming the role:to
- specifies the subject scope; i.e. "who holds the role?":on
- specifics the object scope; i.e. "on which resources does the role apply?
When revoking permissions,
from
is used in place ofto
, because it reads more naturally.
Subject and object scopes are specified using any of these values:
:all
- a special atom for granting or denying ALL of something- any Ecto schema module; e.g.
MyApp.Users.User
- any Ecto schema record; e.g.
%MyApp.Users.User{id: 123}
Summary
Functions
Returns a changeset for DSL options used to perform action
.
Returns a changeset for options used when filtering permissions.
Returns a changeset for DSL options used when granting or denying permissions.
Returns a changeset for options used when revoking permissions.
Returns a new Rolex.DSL
initialized from input
on success, or {:error, reason}
otherwise.
Converts input
from external DSL options to internal Rolex.Permission
schema params.
Types
@type action() :: :grant | :deny | :revoke | :filter
@type any_from_opt() :: {:from, any_scope()}
@type any_on_opt() :: {:on, any_scope()}
@type any_role() :: :any | role()
@type any_role_opt() :: {:role, any_role()}
@type any_to_opt() :: {:to, any_scope()}
@type changeset() :: Ecto.Changeset.t(t())
@type from_opt() :: {:from, scope()}
@type on_opt() :: {:on, scope()}
@type record() :: Ecto.Schema.t()
@type role() :: atom()
@type role_opt() :: {:role, role()}
@type schema() :: module()
@type to_opt() :: {:to, scope()}
Functions
Returns a changeset for DSL options used to perform action
.
Action may be any of :grant
, :deny
, :revoke
, :filter
.
@spec changeset_for_filter([any_role_opt() | any_to_opt() | any_on_opt()]) :: changeset()
Returns a changeset for options used when filtering permissions.
Options:
:role
- a plain atom naming a role, or::any
- will match any permission role- a list of plain atoms naming all roles of interest
:to
-:all
, schema, record, or::any
- will match any permission subject{:any, <schema>}
- will match any permission subject of the named schema
:on
-:all
, schema, record, or::any
- will match any permission object{:any, <schema>}
- will match any permission object of the named schema
Returns a changeset for DSL options used when granting or denying permissions.
Options:
:role
- a plain atom naming a role:to
-:all
, schema, or record:on
-:all
, schema, or record
@spec changeset_for_revoke([any_role_opt() | any_from_opt() | any_on_opt()]) :: changeset()
Returns a changeset for options used when revoking permissions.
Options:
:role
- a plain atom naming a role, or::any
- will match any permission role
:from
-:all
, schema, record, or::any
- will match any permission subject{:any, <schema>}
- will match any permission subject of the named schema
:on
-:all
, schema, record, or::any
- will match any permission object{:any, <schema>}
- will match any permission object of the named schema
Returns a new Rolex.DSL
initialized from input
on success, or {:error, reason}
otherwise.
@spec to_permission_params(t() | Enumerable.t()) :: map() | {:error, term()}
Converts input
from external DSL options to internal Rolex.Permission
schema params.
Returns an atom-keyed map on success, or an {:error, reason}
tuple otherwise.