-
Notifications
You must be signed in to change notification settings - Fork 16
/
authorization.polar
91 lines (71 loc) · 2.14 KB
/
authorization.polar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
allow(actor, action, resource) if
has_permission(actor, action, resource);
# Users can see each other.
has_permission(_: User, "read", _: User);
# A User can read their own profile.
has_permission(_: User{id: id}, "read_profile", _:User{id: id});
# Any logged-in user can create a new org.
has_permission(_: User, "create", _: Org);
actor User {}
resource Org {
roles = ["owner", "member"];
permissions = [
"read",
"create_repos",
"list_repos",
"create_role_assignments",
"list_role_assignments",
"update_role_assignments",
"delete_role_assignments",
];
"read" if "member";
"list_repos" if "member";
"list_role_assignments" if "member";
"create_repos" if "owner";
"create_role_assignments" if "owner";
"update_role_assignments" if "owner";
"delete_role_assignments" if "owner";
"member" if "owner";
}
has_role(user: User, name: String, org: Org) if
role in user.org_roles and
role matches { name: name, org: org };
resource Repo {
roles = ["admin", "maintainer", "reader"];
permissions = [
"read",
"create_issues",
"list_issues",
"create_role_assignments",
"list_role_assignments",
"update_role_assignments",
"delete_role_assignments",
];
relations = { parent: Org };
"create_role_assignments" if "admin";
"list_role_assignments" if "admin";
"update_role_assignments" if "admin";
"delete_role_assignments" if "admin";
"read" if "reader";
"list_issues" if "reader";
"create_issues" if "reader";
"admin" if "owner" on "parent";
"reader" if "member" on "parent";
"maintainer" if "admin";
"reader" if "maintainer";
}
has_role(user: User, name: String, repo: Repo) if
role in user.repo_roles and
role matches { name: name, repo: repo };
has_relation(org: Org, "parent", repo: Repo) if repo.org = org;
resource Issue {
roles = ["creator"];
permissions = ["read", "close"];
relations = { parent: Repo };
"read" if "reader" on "parent";
"close" if "maintainer" on "parent";
"close" if "creator";
}
has_relation(repo: Repo, "parent", issue: Issue) if issue.repo = repo;
has_role(user: User, "creator", issue: Issue) if
issue.creator = user;