2020-06-25 14:54:04 +02:00
|
|
|
/*
|
2022-09-28 09:01:17 +02:00
|
|
|
Package acl provides access control lists for authorization checks.
|
2020-06-25 14:54:04 +02:00
|
|
|
|
2023-01-11 16:43:01 +01:00
|
|
|
Copyright (c) 2018 - 2023 PhotoPrism UG. All rights reserved.
|
2020-06-25 14:54:04 +02:00
|
|
|
|
2022-08-10 16:09:21 +02:00
|
|
|
This program is free software: you can redistribute it and/or modify
|
|
|
|
|
it under Version 3 of the GNU Affero General Public License (the "AGPL"):
|
|
|
|
|
<https://docs.photoprism.app/license/agpl>
|
2020-06-25 14:54:04 +02:00
|
|
|
|
2022-08-10 16:09:21 +02:00
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU Affero General Public License for more details.
|
2020-06-25 14:54:04 +02:00
|
|
|
|
2022-08-10 16:09:21 +02:00
|
|
|
The AGPL is supplemented by our Trademark and Brand Guidelines,
|
|
|
|
|
which describe how our Brand Assets may be used:
|
2023-02-08 09:07:42 +01:00
|
|
|
<https://www.photoprism.app/trademark>
|
2020-06-25 14:54:04 +02:00
|
|
|
|
2022-04-13 22:17:59 +02:00
|
|
|
Feel free to send an email to hello@photoprism.app if you have questions,
|
2020-06-25 14:54:04 +02:00
|
|
|
want to support our work, or just want to say hello.
|
|
|
|
|
|
|
|
|
|
Additional information can be found in our Developer Guide:
|
2022-02-27 17:32:54 +01:00
|
|
|
<https://docs.photoprism.app/developer-guide/>
|
2020-06-25 14:54:04 +02:00
|
|
|
*/
|
|
|
|
|
package acl
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
// ACL represents an access control list based on Resource, Roles, and Permissions.
|
2020-06-25 14:54:04 +02:00
|
|
|
type ACL map[Resource]Roles
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
// Deny checks whether the role must be denied access to the specified resource.
|
|
|
|
|
func (acl ACL) Deny(resource Resource, role Role, perm Permission) bool {
|
|
|
|
|
return !acl.Allow(resource, role, perm)
|
2020-06-25 14:54:04 +02:00
|
|
|
}
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
// DenyAll checks whether the role is granted none of the permissions for the specified resource.
|
|
|
|
|
func (acl ACL) DenyAll(resource Resource, role Role, perms Permissions) bool {
|
|
|
|
|
return !acl.AllowAny(resource, role, perms)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Allow checks whether the role is granted permission for the specified resource.
|
|
|
|
|
func (acl ACL) Allow(resource Resource, role Role, perm Permission) bool {
|
|
|
|
|
if p, ok := acl[resource]; ok {
|
|
|
|
|
return p.Allow(role, perm)
|
|
|
|
|
} else if p, ok = acl[ResourceDefault]; ok {
|
|
|
|
|
return p.Allow(role, perm)
|
2020-06-25 14:54:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
// AllowAny checks whether the role is granted any of the permissions for the specified resource.
|
|
|
|
|
func (acl ACL) AllowAny(resource Resource, role Role, perms Permissions) bool {
|
|
|
|
|
if len(perms) == 0 {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for i := range perms {
|
|
|
|
|
if acl.Allow(resource, role, perms[i]) {
|
|
|
|
|
return true
|
|
|
|
|
}
|
2020-06-25 14:54:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
// AllowAll checks whether the role is granted all of the permissions for the specified resource.
|
|
|
|
|
func (acl ACL) AllowAll(resource Resource, role Role, perms Permissions) bool {
|
|
|
|
|
if len(perms) == 0 {
|
|
|
|
|
return false
|
2020-06-25 14:54:04 +02:00
|
|
|
}
|
|
|
|
|
|
2022-09-28 09:01:17 +02:00
|
|
|
for i := range perms {
|
|
|
|
|
if acl.Deny(resource, role, perms[i]) {
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return true
|
2020-06-25 14:54:04 +02:00
|
|
|
}
|
