QOR5 permission is based on https://github.com/ory/ladon.
A piece of policy looks like this:
Who is able to do what on something (with given some context)
Who - Subject
Typically in admin system, they are roles like
SubjectsFunc to fetch current subjects:
Able - Effect
What - Action
presets has a list of actions:
And you can define other specific actions if needed.
Something - Resource
An arbitrary unique resource name.
The presets builtin resource format is
:presets:user_management:users:1: represents the user record with id 1 under uri user_management.
* as wildcard.
Context - Condition
The current context that containing condition information about the resource.
ContextFunc to set the context:
Given to set conditions:
Let's say there is a button on User detailing page used to ban the user. And only
super_admin users have permission to execute this action.
First, create a verifier
Then inject this verifier to relevant logic, such as
- whether to show the ban button.
- validate permission before execute the ban action.
Finally, add policy
prints permission logs which is very helpful for debugging the permission policies: