Add CanDo function to AccessControl interface

Enables us to authorize actions and links
2025-04-28 03:20:08 +00:00 · 2018-04-25 12:16:16 -07:00 · 2018-04-25 12:16:16 -07:00 · bde68141b6
commit bde68141b6
parent 063fbdfa71
2 changed files with 10 additions and 0 deletions
--- a/authorization/all.go
+++ b/authorization/all.go
@ -46,6 +46,13 @@ func (*AllAccess) CanDelete(apiContext *types.APIContext, obj map[string]interfa
 	return httperror.NewAPIError(httperror.PermissionDenied, "can not delete "+schema.ID)
 }

+func (*AllAccess) CanDo(apiGroup, resource, verb string, apiContext *types.APIContext, obj map[string]interface{}, schema *types.Schema) error {
+	if slice.ContainsString(schema.ResourceMethods, verb) {
+		return nil
+	}
+	return httperror.NewAPIError(httperror.PermissionDenied, "can not perform "+verb+" "+schema.ID)
+}
+
 func (*AllAccess) Filter(apiContext *types.APIContext, schema *types.Schema, obj map[string]interface{}, context map[string]string) map[string]interface{} {
 	return obj
 }
--- a/types/server_types.go
+++ b/types/server_types.go
@ -74,6 +74,9 @@ type AccessControl interface {
 	CanGet(apiContext *APIContext, schema *Schema) error
 	CanUpdate(apiContext *APIContext, obj map[string]interface{}, schema *Schema) error
 	CanDelete(apiContext *APIContext, obj map[string]interface{}, schema *Schema) error
+	// CanDo function should not yet be used if a corresponding specific method exists. It has been added to
+	// satisfy a specific usecase for the short term until full-blown dynamic RBAC can be implemented.
+	CanDo(apiGroup, resource, verb string, apiContext *APIContext, obj map[string]interface{}, schema *Schema) error

 	Filter(apiContext *APIContext, schema *Schema, obj map[string]interface{}, context map[string]string) map[string]interface{}
 	FilterList(apiContext *APIContext, schema *Schema, obj []map[string]interface{}, context map[string]string) []map[string]interface{}