Lightning.Policies.Permissions (Lightning v2.14.5-pre1)

View Source

This module defines a unique interface managing authorizations in Lightning.

Users in Lightning have instance-wide and project-wide roles which determine their level of access to resources in the application. For more details see the documentation.

Policy Modules

Authorization policies are implemented under lib/lightning/policies/:

  • users.ex - Instance-wide access levels
  • project_users.ex - Project-wide access levels
  • credentials.ex - Credential management permissions
  • workflows.ex - Workflow-related permissions
  • collections.ex - Collection access permissions
  • dataclips.ex - Dataclip permissions
  • exports.ex - Export functionality permissions
  • provisioning.ex - Resource provisioning permissions

Interface

This module provides the can/4 and can?/4 interface, which wraps Bodyguard.permit/4 to harmonize policy usage across the application.

Policy Resolution: You can reference policy modules in two ways:

Functions

  • can(policy, action, actor, resource) - Returns :ok or {:error, :unauthorized}
  • can?(policy, action, actor, resource) - Returns true or false

Examples

Using full module names:

can_edit = Lightning.Policies.ProjectUsers 
           |> Lightning.Policies.Permissions.can?(:edit_workflow, user, project)

Using atom shortcuts:

can_create = Permissions.can?(:credentials, :create_keychain_credential, project_user)
can_delete = Permissions.can?(:project_users, :delete_project, user, project)

All policies are comprehensively tested in test/lightning/policies/.

Summary

Functions

checks if user has the permissions to apply action using some policy module

same as can/4 but returns true if user can apply action and false otherwise

Functions

can(policy, action, user, params \\ [])

checks if user has the permissions to apply action using some policy module

Returns :ok if user can apply action and {:error, :unauthorized} otherwise

Examples

iex> can(Lightning.Policies.Users, :create_workflow, user, project)
:ok

iex> can(Lightning.Policies.Users, :create_project, user, %{})
{:error, :unauthorized}

can?(policy, action, user, params \\ [])

same as can/4 but returns true if user can apply action and false otherwise

Examples

iex> can(Lightning.Policies.Users, :create_workflow, user, project)
true

iex> can(Lightning.Policies.Users, :create_project, user, %{})
false