Documentation ¶
Overview ¶
Package acl provides access control lists for authorization checks.
Copyright (c) 2018 - 2024 PhotoPrism UG. All rights reserved.
This program is free software: you can redistribute it and/or modify it under Version 3 of the GNU Affero General Public License (the "AGPL"): <https://docs.photoprism.app/license/agpl> This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. The AGPL is supplemented by our Trademark and Brand Guidelines, which describe how our Brand Assets may be used: <https://www.photoprism.app/trademark>
Feel free to send an email to hello@photoprism.app if you have questions, want to support our work, or just want to say hello.
Additional information can be found in our Developer Guide: <https://docs.photoprism.app/developer-guide/>
Index ¶
- Variables
- type ACL
- func (acl ACL) Allow(resource Resource, role Role, perm Permission) bool
- func (acl ACL) AllowAll(resource Resource, role Role, perms Permissions) bool
- func (acl ACL) AllowAny(resource Resource, role Role, perms Permissions) bool
- func (acl ACL) Deny(resource Resource, role Role, perm Permission) bool
- func (acl ACL) DenyAll(resource Resource, role Role, perms Permissions) bool
- func (acl ACL) Grants(role Role) Grants
- func (acl ACL) Resources() (result []string)
- type Grant
- type Grants
- type Permission
- type Permissions
- type Resource
- type Role
- type RoleStrings
- type Roles
Constants ¶
This section is empty.
Variables ¶
var ( GrantFullAccess = Grant{ FullAccess: true, AccessAll: true, AccessOwn: true, AccessShared: true, AccessLibrary: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, ActionDownload: true, ActionShare: true, ActionRate: true, ActionReact: true, ActionManage: true, ActionSubscribe: true, } GrantSubscribeAll = Grant{ AccessAll: true, ActionSubscribe: true, } GrantSubscribeOwn = Grant{ AccessOwn: true, ActionSubscribe: true, } GrantViewAll = Grant{ AccessAll: true, ActionView: true, } GrantViewOwn = Grant{ AccessOwn: true, ActionView: true, } AccessShared: true, ActionView: true, ActionDownload: true, } AccessShared: true, ActionSearch: true, ActionView: true, ActionDownload: true, } GrantNone = Grant{} )
Standard grants provided to simplify configuration.
var ClientRoles = RoleStrings{ string(RoleAdmin): RoleAdmin, string(RoleClient): RoleClient, string(RoleNone): RoleNone, }
ClientRoles maps valid API client roles.
var Events = ACL{ ResourceDefault: Roles{ RoleAdmin: GrantFullAccess, }, ChannelUser: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSubscribeOwn, }, ChannelSession: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSubscribeOwn, }, }
Events specifies granted permissions by event channel and Role.
var GrantDefaults = Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantViewShared, RoleClient: GrantFullAccess, }
GrantDefaults defines default grants for all supported roles.
var ResourceNames = []Resource{ ResourceFiles, ResourceFolders, ResourceShares, ResourcePhotos, ResourceVideos, ResourceFavorites, ResourceAlbums, ResourceMoments, ResourceCalendar, ResourcePeople, ResourcePlaces, ResourceLabels, ResourceConfig, ResourceSettings, ResourcePasscode, ResourcePassword, ResourceServices, ResourceUsers, ResourceSessions, ResourceLogs, ResourceWebDAV, ResourceMetrics, ResourceFeedback, ResourceDefault, }
ResourceNames contains a list of all specified resources.
var Resources = ACL{ ResourceFiles: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceFolders: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSearchShared, RoleClient: GrantFullAccess, }, ResourceShares: Roles{ RoleAdmin: GrantFullAccess, }, ResourcePhotos: GrantDefaults, ResourceVideos: GrantDefaults, ResourceFavorites: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceAlbums: GrantDefaults, ResourceMoments: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSearchShared, RoleClient: GrantFullAccess, }, ResourceCalendar: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantSearchShared, RoleClient: GrantFullAccess, }, ResourcePeople: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourcePlaces: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: GrantViewShared, RoleClient: GrantFullAccess, }, ResourceLabels: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceConfig: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantViewOwn, RoleDefault: GrantViewOwn, }, ResourceSettings: Roles{ RoleAdmin: GrantFullAccess, RoleVisitor: Grant{AccessOwn: true, ActionView: true}, RoleClient: Grant{AccessOwn: true, ActionView: true, ActionUpdate: true}, }, ResourceServices: Roles{ RoleAdmin: GrantFullAccess, }, ResourcePasscode: Roles{ RoleAdmin: GrantFullAccess, }, ResourcePassword: Roles{ RoleAdmin: GrantFullAccess, }, ResourceUsers: Roles{ RoleAdmin: Grant{AccessAll: true, AccessOwn: true, ActionView: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, ActionSubscribe: true}, RoleClient: Grant{AccessOwn: true, ActionView: true}, }, ResourceSessions: Roles{ RoleAdmin: GrantFullAccess, RoleDefault: Grant{AccessOwn: true, ActionView: true, ActionCreate: true, ActionUpdate: true, ActionDelete: true, ActionSubscribe: true}, }, ResourceLogs: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceWebDAV: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantFullAccess, }, ResourceMetrics: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantViewAll, }, ResourceFeedback: Roles{ RoleAdmin: GrantFullAccess, }, ResourceDefault: Roles{ RoleAdmin: GrantFullAccess, RoleClient: GrantNone, }, }
Resources specifies granted permissions by Resource and Role.
var UserRoles = RoleStrings{ string(RoleAdmin): RoleAdmin, string(RoleVisitor): RoleVisitor, string(RoleNone): RoleNone, }
UserRoles maps valid user account roles.
Functions ¶
This section is empty.
Types ¶
type ACL ¶
ACL represents an access control list based on Resource, Roles, and Permissions.
func (ACL) Allow ¶
func (acl ACL) Allow(resource Resource, role Role, perm Permission) bool
Allow checks whether the role is granted permission for the specified resource.
func (ACL) AllowAll ¶
func (acl ACL) AllowAll(resource Resource, role Role, perms Permissions) bool
AllowAll checks whether the role is granted all of the permissions for the specified resource.
func (ACL) AllowAny ¶
func (acl ACL) AllowAny(resource Resource, role Role, perms Permissions) bool
AllowAny checks whether the role is granted any of the permissions for the specified resource.
func (ACL) Deny ¶
func (acl ACL) Deny(resource Resource, role Role, perm Permission) bool
Deny checks whether the role must be denied access to the specified resource.
func (ACL) DenyAll ¶
func (acl ACL) DenyAll(resource Resource, role Role, perms Permissions) bool
DenyAll checks whether the role is granted none of the permissions for the specified resource.
type Grant ¶
type Grant map[Permission]bool
Grant represents permissions granted or denied.
func (Grant) Allow ¶
func (grant Grant) Allow(perm Permission) bool
Allow checks whether the permission is granted.
type Permission ¶
type Permission string
Permission represents a single ability.
const ( FullAccess Permission = "full_access" AccessLibrary Permission = "access_library" AccessPrivate Permission = "access_private" AccessOwn Permission = "access_own" AccessAll Permission = "access_all" ActionSearch Permission = "search" ActionView Permission = "view" ActionUpload Permission = "upload" ActionCreate Permission = "create" ActionUpdate Permission = "update" ActionDownload Permission = "download" ActionDelete Permission = "delete" ActionRate Permission = "rate" ActionReact Permission = "react" ActionManage Permission = "manage" ActionSubscribe Permission = "subscribe" )
Permissions that can be granted to roles.
func (Permission) Equal ¶
func (p Permission) Equal(s string) bool
Equal checks if the type matches.
func (Permission) LogId ¶
func (p Permission) LogId() string
LogId returns an identifier string for use in log messages.
func (Permission) NotEqual ¶
func (p Permission) NotEqual(s string) bool
NotEqual checks if the type is different.
type Permissions ¶
type Permissions []Permission
Permissions is a list of permissions.
func (Permissions) String ¶
func (perm Permissions) String() string
String returns the permissions as a comma-separated string.
type Resource ¶
type Resource string
Resource represents a resource for which roles can be granted Permission.
const ( ChannelUser Resource = "user" ChannelSession Resource = "session" ChannelAudit Resource = "audit" ChannelLog Resource = "log" ChannelNotify Resource = "notify" ChannelIndex Resource = "index" ChannelUpload Resource = "upload" ChannelImport Resource = "import" ChannelConfig Resource = "config" ChannelCount Resource = "count" ChannelPhotos Resource = "photos" ChannelCameras Resource = "cameras" ChannelLenses Resource = "lenses" ChannelCountries Resource = "countries" ChannelAlbums Resource = "albums" ChannelLabels Resource = "labels" ChannelSubjects Resource = "subjects" ChannelPeople Resource = "people" ChannelSync Resource = "sync" )
Events that Roles can be granted Permission to listen to.
const ( ResourceFiles Resource = "files" ResourceFolders Resource = "folders" ResourcePhotos Resource = "photos" ResourceVideos Resource = "videos" ResourceFavorites Resource = "favorites" ResourceAlbums Resource = "albums" ResourceMoments Resource = "moments" ResourceCalendar Resource = "calendar" ResourcePeople Resource = "people" ResourcePlaces Resource = "places" ResourceLabels Resource = "labels" ResourceConfig Resource = "config" ResourceSettings Resource = "settings" ResourcePasscode Resource = "passcode" ResourcePassword Resource = "password" ResourceServices Resource = "services" ResourceUsers Resource = "users" ResourceSessions Resource = "sessions" ResourceLogs Resource = "logs" ResourceWebDAV Resource = "webdav" ResourceMetrics Resource = "metrics" ResourceFeedback Resource = "feedback" ResourceDefault Resource = "default" )
Resources that Roles can be granted Permission.
type Role ¶
type Role string
Role represents a user role.
const ( RoleDefault Role = "default" RoleAdmin Role = "admin" RoleVisitor Role = "visitor" RoleClient Role = "client" RoleNone Role = "" )
Roles that can be assigned to users.
type RoleStrings ¶
RoleStrings represents user role names mapped to roles.