Version: v0.0.0-...-51f9457 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 9, 2021 License: Apache-2.0 Imports: 15 Imported by: 0



Package perm implements permission checks.

The API is formulated in terms of LUCI Realms permissions, but it is currently implemented on top of native Buildbucket roles (which are deprecated).



View Source
const (
	// UpdateBuildAllowedUsers is a group of users allowed to update builds.
	// They are expected to be robots.
	UpdateBuildAllowedUsers = "buildbucket-update-build-users"

	// Administrators is a group of users that have all permissions in all
	// buckets.
	Administrators = "administrators"


View Source
var (
	// BuildsAdd allows to schedule new builds in a bucket.
	BuildsAdd = realms.RegisterPermission("buildbucket.builds.add")
	// BuildsGet allows to see all information about a build.
	BuildsGet = realms.RegisterPermission("buildbucket.builds.get")
	// BuildsList allows to list and search builds in a bucket.
	BuildsList = realms.RegisterPermission("buildbucket.builds.list")
	// BuildsCancel allows to cancel a build.
	BuildsCancel = realms.RegisterPermission("buildbucket.builds.cancel")

	// BuildersGet allows to see details of a builder (but not its builds).
	BuildersGet = realms.RegisterPermission("")
	// BuildersList allows to list and search builders (but not builds).
	BuildersList = realms.RegisterPermission("")


func BucketsByPerm

func BucketsByPerm(ctx context.Context, p realms.Permission, project string) (buckets []string, err error)

BucketsByPerm returns buckets of the project that the caller has the given permission in. If the project is empty, it returns all user accessible buckets. Note: if the caller doesn't have the permission, it returns empty buckets.

func CanUpdateBuild

func CanUpdateBuild(ctx context.Context) (bool, error)

CanUpdateBuild returns whether the caller has a permission to update builds.

func HasInBucket

func HasInBucket(ctx context.Context, perm realms.Permission, project, bucket string) error

HasInBucket checks the caller has the given permission in the bucket.

Returns appstatus errors. If the bucket doesn't exist returns NotFound.

Always checks the read permission first, returning NotFound if the caller doesn't have it. Returns PermissionDenied if the caller has the read permission, but not the requested `perm`.

func HasInBuilder

func HasInBuilder(ctx context.Context, perm realms.Permission, id *pb.BuilderID) error

HasInBuilder checks the caller has the given permission in the builder.

It's just a tiny wrapper around HasInBucket to reduce typing.

func NotFoundErr

func NotFoundErr(ctx context.Context) error

NotFoundErr returns an appstatus with a generic error message indicating the resource requested was not found with a hint that the user may not have permission to view it. By not differentiating between "not found" and "permission denied" errors, leaking existence of resources a user doesn't have permission to view can be avoided. Should be used everywhere a "not found" or "permission denied" error occurs.


This section is empty.

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL