Documentation
¶
Overview ¶
Package acl provides access control lists for authorization checks.
Copyright (c) 2018 - 2024 PhotoPrism UG. All rights reserved.
This program is free software: you can redistribute it and/or modify it under Version 3 of the GNU Affero General Public License (the "AGPL"): <https://docs.photoprism.app/license/agpl> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. The AGPL is supplemented by our Trademark and Brand Guidelines, which describe how our Brand Assets may be used: <https://www.photoprism.app/trademark>
Feel free to send an email to hello@photoprism.app if you have questions, want to support our work, or just want to say hello.
Additional information can be found in our Developer Guide: <https://docs.photoprism.app/developer-guide/>
Index ¶
- Variables
- type ACL
- func (acl ACL) Allow(resource Resource, role Role, perm Permission) bool
- func (acl ACL) AllowAll(resource Resource, role Role, perms Permissions) bool
- func (acl ACL) AllowAny(resource Resource, role Role, perms Permissions) bool
- func (acl ACL) Deny(resource Resource, role Role, perm Permission) bool
- func (acl ACL) DenyAll(resource Resource, role Role, perms Permissions) bool
- func (acl ACL) Grants(role Role) Grants
- func (acl ACL) Resources() (result []string)
- type Grant
- type Grants
- type Permission
- type Permissions
- type Resource
- type Role
- type RoleStrings
- type Roles
Constants ¶
This section is empty.
Variables ¶
View Source
var ( GrantFullAccess = Grant{ FullAccess: true, AccessAll: true, AccessOwn: true, AccessShared: true, AccessLibrary: true, ActionView: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, ActionDownload: true, ActionShare: true, ActionRate: true, ActionReact: true, ActionManage: true, ActionSubscribe: true, } GrantOwn = Grant{ AccessOwn: true, ActionView: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, ActionSubscribe: true, } GrantAll = Grant{ AccessAll: true, AccessOwn: true, ActionView: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, ActionSubscribe: true, } GrantManageOwn = Grant{ AccessOwn: true, ActionView: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, ActionSubscribe: true, ActionManageOwn: true, } GrantConfigureOwn = Grant{ AccessOwn: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, } GrantUpdateOwn = Grant{ AccessOwn: true, ActionUpdate: true, } GrantViewOwn = Grant{ AccessOwn: true, ActionView: true, } GrantViewUpdateOwn = Grant{ AccessOwn: true, ActionView: true, ActionUpdate: true, } GrantViewLibrary = Grant{ AccessLibrary: true, ActionView: true, } GrantViewAll = Grant{ AccessAll: true, AccessOwn: true, ActionView: true, } GrantViewUpdateAll = Grant{ AccessAll: true, AccessOwn: true, ActionView: true, ActionUpdate: true, } AccessShared: true, ActionView: true, ActionDownload: true, } AccessShared: true, ActionSearch: true, ActionView: true, ActionDownload: true, } GrantSearchAll = Grant{ AccessAll: true, ActionView: true, ActionSearch: true, } GrantSubscribeOwn = Grant{ AccessOwn: true, ActionSubscribe: true, } GrantSubscribeAll = Grant{ AccessAll: true, ActionSubscribe: true, } GrantNone = Grant{} )
Standard grants provided to simplify configuration.
View Source
var ( GrantScopeRead = Grant{ AccessShared: true, AccessLibrary: true, AccessPrivate: true, AccessOwn: true, AccessAll: true, ActionSearch: true, ActionView: true, ActionDownload: true, ActionSubscribe: true, } GrantScopeWrite = Grant{ AccessShared: true, AccessLibrary: true, AccessPrivate: true, AccessOwn: true, AccessAll: true, ActionUpload: true, ActionCreate: true, ActionUpdate: true, ActionShare: true, ActionDelete: true, ActionRate: true, ActionReact: true, ActionManage: true, ActionManageOwn: true, } )
View Source
var ClientRoles = RoleStrings{ string(RoleAdmin): RoleAdmin, string(RoleClient): RoleClient, string(RoleNone): RoleNone, }
ClientRoles maps valid API client roles.
View Source
var Events = ACL{ ResourceDefault: Roles{ RoleAdmin: GrantFullAccess, }, ChannelUser: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSubscribeOwn, }, ChannelSession: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSubscribeOwn, }, }
Events specifies granted permissions by event channel and Role.
View Source
var GrantDefaults = Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantViewShared, RoleClient: GrantFullAccess, }
GrantDefaults defines default grants for all supported roles.
View Source
var ResourceNames = []Resource{ ResourceFiles, ResourceFolders, ResourceShares, ResourcePhotos, ResourceVideos, ResourceFavorites, ResourceAlbums, ResourceMoments, ResourceCalendar, ResourcePeople, ResourcePlaces, ResourceLabels, ResourceConfig, ResourceSettings, ResourcePasscode, ResourcePassword, ResourceServices, ResourceUsers, ResourceSessions, ResourceLogs, ResourceWebDAV, ResourceMetrics, ResourceFeedback, ResourceDefault, }
ResourceNames contains a list of all specified resources.
View Source
var Rules = ACL{ ResourceFiles: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceFolders: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSearchShared, RoleClient: GrantFullAccess, }, ResourceShares: Roles{ RoleAdmin: GrantFullAccess, }, ResourcePhotos: GrantDefaults, ResourceVideos: GrantDefaults, ResourceFavorites: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceAlbums: GrantDefaults, ResourceMoments: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSearchShared, RoleClient: GrantFullAccess, }, ResourceCalendar: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSearchShared, RoleClient: GrantFullAccess, }, ResourcePeople: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourcePlaces: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantViewShared, RoleClient: GrantFullAccess, }, ResourceLabels: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceConfig: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantViewOwn, RoleDefault: GrantViewOwn, }, ResourceSettings: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantViewOwn, RoleClient: GrantViewUpdateOwn, }, ResourceServices: Roles{ RoleAdmin: GrantFullAccess, }, ResourcePasscode: Roles{ RoleAdmin: GrantFullAccess, }, ResourcePassword: Roles{ RoleAdmin: GrantFullAccess, }, ResourceUsers: Roles{ RoleAdmin: GrantAll, RoleClient: GrantViewOwn, }, ResourceSessions: Roles{ RoleAdmin: GrantFullAccess, RoleDefault: GrantOwn, }, ResourceLogs: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceWebDAV: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceMetrics: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantViewAll, }, ResourceFeedback: Roles{ RoleAdmin: GrantFullAccess, }, ResourceDefault: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantNone, }, }
Rules specifies granted permissions by Resource and Role.
View Source
var UserRoles = RoleStrings{ string(RoleAdmin): RoleAdmin, string(RoleVisitor): RoleVisitor, string(RoleNone): RoleNone, }
UserRoles maps valid user account roles.
Functions ¶
This section is empty.
Types ¶
type ACL ¶
ACL represents an access control list based on Resource, Roles, and Permissions.
func (ACL) Allow ¶
func (acl ACL) Allow(resource Resource, role Role, perm Permission) bool
Allow checks whether the role is granted permission for the specified resource.
func (ACL) AllowAll ¶
func (acl ACL) AllowAll(resource Resource, role Role, perms Permissions) bool
AllowAll checks whether the role is granted all of the permissions for the specified resource.
func (ACL) AllowAny ¶
func (acl ACL) AllowAny(resource Resource, role Role, perms Permissions) bool
AllowAny checks whether the role is granted any of the permissions for the specified resource.
func (ACL) Deny ¶
func (acl ACL) Deny(resource Resource, role Role, perm Permission) bool
Deny checks whether the Role must be denied access to the specified Resource.
func (ACL) DenyAll ¶
func (acl ACL) DenyAll(resource Resource, role Role, perms Permissions) bool
DenyAll checks whether the role is granted none of the permissions for the specified resource.
type Grant ¶
type Grant map[Permission]bool
Grant represents permissions granted or denied.
func (Grant) Allow ¶
func (grant Grant) Allow(perm Permission) bool
Allow checks if this Grant includes the specified Permission.
func (Grant) DenyAny ¶
func (grant Grant) DenyAny(perms Permissions) bool
DenyAny checks if any of the Permissions are not covered by this Grant.
type Permission ¶
type Permission string
Permission represents a single ability.
const ( FullAccess Permission = "full_access" AccessLibrary Permission = "access_library" AccessPrivate Permission = "access_private" AccessOwn Permission = "access_own" AccessAll Permission = "access_all" ActionSearch Permission = "search" ActionView Permission = "view" ActionUpload Permission = "upload" ActionCreate Permission = "create" ActionUpdate Permission = "update" ActionDownload Permission = "download" ActionDelete Permission = "delete" ActionRate Permission = "rate" ActionReact Permission = "react" ActionSubscribe Permission = "subscribe" ActionManage Permission = "manage" ActionManageOwn Permission = "manage_own" )
Permissions to use a Resource that can be granted to a Role.
const ( ScopeRead Permission = "read" ScopeWrite Permission = "write" )
Permission scopes to Grant multiple Permissions for a Resource.
func (Permission) Equal ¶
func (p Permission) Equal(s string) bool
Equal checks if the type matches.
func (Permission) LogId ¶
func (p Permission) LogId() string
LogId returns an identifier string for use in log messages.
func (Permission) NotEqual ¶
func (p Permission) NotEqual(s string) bool
NotEqual checks if the type is different.
type Permissions ¶
type Permissions []Permission
Permissions represents a list of permissions.
func (Permissions) String ¶
func (perm Permissions) String() string
String returns the permissions as a comma-separated string.
type Resource ¶
type Resource string
Resource represents a resource for which roles can be granted Permission.
const ( ResourceFiles Resource = "files" ResourceFolders Resource = "folders" ResourcePhotos Resource = "photos" ResourceVideos Resource = "videos" ResourceFavorites Resource = "favorites" ResourceAlbums Resource = "albums" ResourceMoments Resource = "moments" ResourceCalendar Resource = "calendar" ResourcePeople Resource = "people" ResourcePlaces Resource = "places" ResourceLabels Resource = "labels" ResourceConfig Resource = "config" ResourceSettings Resource = "settings" ResourcePasscode Resource = "passcode" ResourcePassword Resource = "password" ResourceServices Resource = "services" ResourceUsers Resource = "users" ResourceSessions Resource = "sessions" ResourceLogs Resource = "logs" ResourceWebDAV Resource = "webdav" ResourceMetrics Resource = "metrics" ResourceFeedback Resource = "feedback" ResourceDefault Resource = "default" )
A Role can be given Permission to use a Resource.
const ( ChannelUser Resource = "user" ChannelSession Resource = "session" ChannelAudit Resource = "audit" ChannelLog Resource = "log" ChannelNotify Resource = "notify" ChannelIndex Resource = "index" ChannelUpload Resource = "upload" ChannelImport Resource = "import" ChannelConfig Resource = "config" ChannelCount Resource = "count" ChannelPhotos Resource = "photos" ChannelCameras Resource = "cameras" ChannelLenses Resource = "lenses" ChannelCountries Resource = "countries" ChannelAlbums Resource = "albums" ChannelLabels Resource = "labels" ChannelSubjects Resource = "subjects" ChannelPeople Resource = "people" ChannelSync Resource = "sync" )
Events for which a Role can be granted the ActionSubscribe Permission.
type Role ¶
type Role string
Role represents a user role.
const ( RoleDefault Role = "default" RoleAdmin Role = "admin" RoleVisitor Role = "visitor" RoleClient Role = "client" RoleNone Role = "" )
Roles that can be granted Permissions to use a Resource.
type RoleStrings ¶
RoleStrings represents user role names mapped to roles.
Source Files
Click to show internal directories.
Click to hide internal directories.