photoprism/internal/acl/grant.go

package acl

// Standard grants provided to simplify configuration.
var (
	GrantFullAccess = Grant{
		FullAccess:      true,
		AccessAll:       true,
		AccessOwn:       true,
		AccessShared:    true,
		AccessLibrary:   true,
		ActionCreate:    true,
		ActionUpdate:    true,
		ActionDelete:    true,
		ActionDownload:  true,
		ActionShare:     true,
		ActionRate:      true,
		ActionReact:     true,
		ActionManage:    true,
		ActionSubscribe: true,
	}
	GrantSubscribeAll = Grant{
		AccessAll:       true,
		ActionSubscribe: true,
	}
	GrantSubscribeOwn = Grant{
		AccessOwn:       true,
		ActionSubscribe: true,
	}
	GrantViewAll = Grant{
		AccessAll:  true,
		ActionView: true,
	}
	GrantViewOwn = Grant{
		AccessOwn:  true,
		ActionView: true,
	}
	GrantViewShared = Grant{
		AccessShared:   true,
		ActionView:     true,
		ActionDownload: true,
	}
	GrantSearchShared = Grant{
		AccessShared:   true,
		ActionSearch:   true,
		ActionView:     true,
		ActionDownload: true,
	}
	GrantNone = Grant{}
)

// Grant represents permissions granted or denied.
type Grant map[Permission]bool

// Allow checks whether the permission is granted.
func (grant Grant) Allow(perm Permission) bool {
	if result, ok := grant[perm]; ok {
		return result
	} else if result, ok = grant[FullAccess]; ok {
		return result
	}

	return false
}

// GrantDefaults defines default grants for all supported roles.
var GrantDefaults = Roles{
	RoleAdmin:   GrantFullAccess,
	RoleVisitor: GrantViewShared,
	RoleClient:  GrantFullAccess,
}
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`package acl`

OAuth2: Add Client Credentials Authentication #213 #782 #808 #3730 #3943 This adds standard OAuth2 client credentials and bearer token support as well as scope-based authorization checks for REST API clients. Note that this initial implementation should not be used in production and that the access token limit has not been implemented yet. Signed-off-by: Michael Mayer <michael@photoprism.app> 2023-12-12 18:42:50 +01:00			`// Standard grants provided to simplify configuration.`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`var (`
OAuth2: Add Client Credentials Authentication #213 #782 #808 #3730 #3943 This adds standard OAuth2 client credentials and bearer token support as well as scope-based authorization checks for REST API clients. Note that this initial implementation should not be used in production and that the access token limit has not been implemented yet. Signed-off-by: Michael Mayer <michael@photoprism.app> 2023-12-12 18:42:50 +01:00			`GrantFullAccess = Grant{`
			`FullAccess: true,`
			`AccessAll: true,`
			`AccessOwn: true,`
			`AccessShared: true,`
			`AccessLibrary: true,`
			`ActionCreate: true,`
			`ActionUpdate: true,`
			`ActionDelete: true,`
			`ActionDownload: true,`
			`ActionShare: true,`
			`ActionRate: true,`
			`ActionReact: true,`
			`ActionManage: true,`
			`ActionSubscribe: true,`
			`}`
			`GrantSubscribeAll = Grant{`
			`AccessAll: true,`
			`ActionSubscribe: true,`
			`}`
			`GrantSubscribeOwn = Grant{`
			`AccessOwn: true,`
			`ActionSubscribe: true,`
			`}`
			`GrantViewAll = Grant{`
			`AccessAll: true,`
			`ActionView: true,`
			`}`
			`GrantViewOwn = Grant{`
			`AccessOwn: true,`
			`ActionView: true,`
			`}`
			`GrantViewShared = Grant{`
			`AccessShared: true,`
			`ActionView: true,`
			`ActionDownload: true,`
			`}`
			`GrantSearchShared = Grant{`
			`AccessShared: true,`
			`ActionSearch: true,`
			`ActionView: true,`
			`ActionDownload: true,`
			`}`
			`GrantNone = Grant{}`
Auth: Session and ACL enhancements #98 #1746 Signed-off-by: Michael Mayer <michael@photoprism.app> 2022-09-28 09:01:17 +02:00			`)`

			`// Grant represents permissions granted or denied.`
			`type Grant map[Permission]bool`

			`// Allow checks whether the permission is granted.`
			`func (grant Grant) Allow(perm Permission) bool {`
			`if result, ok := grant[perm]; ok {`
			`return result`
			`} else if result, ok = grant[FullAccess]; ok {`
			`return result`
			`}`

			`return false`
			`}`
OAuth2: Add Client Credentials Authentication #213 #782 #808 #3730 #3943 This adds standard OAuth2 client credentials and bearer token support as well as scope-based authorization checks for REST API clients. Note that this initial implementation should not be used in production and that the access token limit has not been implemented yet. Signed-off-by: Michael Mayer <michael@photoprism.app> 2023-12-12 18:42:50 +01:00
			`// GrantDefaults defines default grants for all supported roles.`
			`var GrantDefaults = Roles{`
			`RoleAdmin: GrantFullAccess,`
			`RoleVisitor: GrantViewShared,`
			`RoleClient: GrantFullAccess,`
			`}`