Rene Nochebuena
18fcd2bee3
Add MaxPermission constant (62) to make the valid bit range explicit in the API. Document in PermissionProvider that audit logging belongs in the application layer. API committed as stable: Identity, PermissionMask, context helpers, and PermissionProvider interface are unchanged from v0.9.0.
30 lines
1.0 KiB
Go
30 lines
1.0 KiB
Go
package rbac
|
|
|
|
import "context"
|
|
|
|
// PermissionProvider resolves the permission mask for a user on a given resource.
|
|
//
|
|
// Implementations may call [FromContext] to retrieve the [Identity] (and its
|
|
// TenantID) when multi-tenancy is required — there is no need to thread tenantID
|
|
// as an explicit parameter since it is already in the context.
|
|
//
|
|
// The resource string identifies what is being accessed (e.g. "orders",
|
|
// "invoices"). Its meaning is defined by the application.
|
|
//
|
|
// Audit logging of permission checks is out of scope for this package.
|
|
// Log denials and grants inside your PermissionProvider implementation or in
|
|
// the middleware layer that calls it.
|
|
//
|
|
// Example in-memory implementation for tests:
|
|
//
|
|
// type staticProvider struct {
|
|
// mask rbac.PermissionMask
|
|
// }
|
|
//
|
|
// func (p *staticProvider) ResolveMask(_ context.Context, _, _ string) (rbac.PermissionMask, error) {
|
|
// return p.mask, nil
|
|
// }
|
|
type PermissionProvider interface {
|
|
ResolveMask(ctx context.Context, uid, resource string) (PermissionMask, error)
|
|
}
|