Documentation
¶
Overview ¶
Package authz provides authorization primitives for generated applications. It defines the Policy interface, a DefaultPolicy with role-based and ownership-based access control, and a global policy registry.
Index ¶
- Constants
- func Can(user User, action string, resourceType string, resource any) bool
- func IsAdmin(user User) bool
- func Register(resourceType string, p Policy)
- func RequireRole(getUserRole func(r *http.Request) string, roles ...string) func(http.Handler) http.Handler
- func ServeForbidden(w http.ResponseWriter, r *http.Request)
- type CookieAuthenticator
- type DefaultPolicy
- type Ownable
- type Policy
- type User
Constants ¶
const ( ActionCreate = "create" ActionRead = "read" ActionUpdate = "update" ActionDelete = "delete" ActionList = "list" )
Standard actions for CRUD operations.
const ( RoleAdmin = "admin" RoleUser = "user" )
Standard roles.
Variables ¶
This section is empty.
Functions ¶
func Can ¶
Can checks if a user can perform an action on a resource. It looks up the policy by resourceType; falls back to DefaultPolicy.
func Register ¶
Register registers a policy for a resource type name. If no policy is registered for a type, DefaultPolicy is used.
func RequireRole ¶
func RequireRole(getUserRole func(r *http.Request) string, roles ...string) func(http.Handler) http.Handler
RequireRole returns middleware that checks if the authenticated user has one of the allowed roles. The getUserRole function extracts the user's role from the request (typically reading from context set by auth.RequireAuth middleware).
Returns 403 Forbidden if the user's role is not in the allowed list. Must be used after authentication middleware (user must be identified).
func ServeForbidden ¶
func ServeForbidden(w http.ResponseWriter, r *http.Request)
ServeForbidden writes a 403 Forbidden response. Returns JSON for API requests (Accept: application/json), HTML for browser requests.
Types ¶
type CookieAuthenticator ¶
type CookieAuthenticator struct {
// contains filtered or unexported fields
}
CookieAuthenticator implements livetemplate.Authenticator by reading the auth session cookie to identify the user during WebSocket setup. This enables ctx.UserID() to return the real authenticated user ID in LiveTemplate controller actions.
func NewCookieAuthenticator ¶
func NewCookieAuthenticator(cookieName string, lookupFn func(ctx context.Context, token string) (string, error)) *CookieAuthenticator
NewCookieAuthenticator creates an authenticator that reads the auth session cookie and looks up the user ID. The lookupFn should query the tokens table to resolve a session token to a user ID.
Example:
authz.NewCookieAuthenticator("users_token", func(ctx context.Context, token string) (string, error) {
row, err := queries.GetUserToken(ctx, models.GetUserTokenParams{Token: token, Now: time.Now()})
if err != nil { return "", err }
return row.UserID, nil
})
func (*CookieAuthenticator) GetSessionGroup ¶
GetSessionGroup returns the user ID as the session group so that all tabs for the same authenticated user share LiveTemplate state. Falls back to a browser-based cookie for unauthenticated users.
type DefaultPolicy ¶
type DefaultPolicy struct{}
DefaultPolicy implements reasonable defaults:
- Admin can do everything
- Any authenticated user can create and list
- Owner can read, update, delete their own resources
- Non-owner can read but not update/delete
type Ownable ¶
type Ownable interface {
GetCreatedBy() string
}
Ownable is implemented by resources that track ownership via a created_by column.