Authorization module for checking user permissions in the Voile application.
Summary
Functions
Assign a role to a user.
Check if user is authenticated (from socket or conn assigns).
Authorize a user for a permission or raise an error.
Authorize that at least one permission in the list is granted for the given
subject (user, conn, or socket) or raise UnauthorizedError.
Returns true if any of the given permission names are granted for the
provided subject (user, conn, or socket).
Check if a user has a specific permission.
Get the current user from socket or conn assigns.
Explicitly deny a permission for a user (overrides role permissions).
Get all permissions for a user (including role and direct permissions).
Grant a direct permission to a user.
Check if a user has the super_admin role.
Remove a role assignment from a user.
Functions
Assign a role to a user.
Options
:scope_type- "global", "collection", or "item" (default: "global"):scope_id- ID of the scoped resource (required for collection/item scope):glam_type- "Gallery", "Library", "Archive", or "Museum" (optional, for GLAM curator roles):assigned_by_id- ID of the user assigning the role:expires_at- DateTime when the role assignment expires
Examples
# Assign librarian role for Library collections only
assign_role(user_id, librarian_role_id, glam_type: "Library")
# Assign role to specific collection
assign_role(user_id, role_id, scope_type: "collection", scope_id: collection_id)Check if user is authenticated (from socket or conn assigns).
Examples
authenticated?(socket)
authenticated?(conn)Authorize a user for a permission or raise an error.
Examples
iex> authorize!(user, "collections.create")
:ok
iex> authorize!(user, "collections.delete")
** (Glam.Authorization.UnauthorizedError) User does not have permission: collections.deleteAuthorize that at least one permission in the list is granted for the given
subject (user, conn, or socket) or raise UnauthorizedError.
Example:
Authorization.authorize_any!(conn, ["metadata.manage", "metadata.edit"])Returns true if any of the given permission names are granted for the
provided subject (user, conn, or socket).
Check if a user has a specific permission.
Examples
# Check global permission
iex> can?(user, "collections.create")
true
# Check scoped permission for a collection
iex> can?(user, "items.update", scope: {:collection, 5})
true
# Check scoped permission for an item
iex> can?(user, "items.delete", scope: {:item, 123})
falseGet the current user from socket or conn assigns.
Returns nil if no user is authenticated.
Examples
user = current_user(socket)
user = current_user(conn)Explicitly deny a permission for a user (overrides role permissions).
Get all permissions for a user (including role and direct permissions).
Grant a direct permission to a user.
Check if a user has the super_admin role.
Super admins have unrestricted access to all resources across all nodes/units.
Examples
iex> is_super_admin?(user)
true
iex> is_super_admin?(socket)
falseRemove a role assignment from a user.