A Role
identifies who's making a call, and what they're allowed to do. What they're allowed to do is given by a list of Policy
s (more details here). Some Policy
s can be configured - have parameters given to them. These are stored in the Role
.
A Role
can also have parents. When parents are provided, they provide the starting point for the Role
's Policy
s. This allows, for example, a Role
to be created with restricted access to somebody else's resources - a bit like setuid.
Each User
must have a default Role
. The default Role
is used for api access from web pages by that user. A Role
named '' is treated as a default Role
. It is recommended any non-default Role
should have the same User
s default Role
as an ancenstor (a parent or a parent's parent, ...).
A Role
can do everything the Policy
s allow it - if one Policy
allows it, the Role
can do it.
A Policy
starts with the premission given by all the Role
's parents, and then trims that back to just what is needed. When there are no parents, this is effectively 'do anything as the Role
's User
.
Policy
s can have parameters - these are set by the Role
. These can be constants, or python expressions, with a few limits to avoid security leaks, or DOS attacks.
We recommended that other Role
s owned by the same user have the User
s default Role
as a parent. When you do this, the default Role
becomes a gate keeper for that User
s access through the api. Changing the Policy
s attached to the default Role
allow you to regulate what that User
can do. For example, a newly registered User
might only being allowed to delete their account, and only once they've verified their email address, say, is the rest of your api permitted.
Role
's owner.Role
. You must add at least one Policy
, otherwise the role can do nothing.Role
. Use '' for User
's default Role
s - and require a name for any other Role
s.Role
was created.Role
s of this Role
. Default Role
s don't need parents, other ones do.Role
sets for evaluating Policies
.Role
was last used (by an api call)deep_update_parameters(update)->None
check_parameters(params)->None
staticrole_allows_api(action, kwargs, resources, user_check, context, policies, ignore_resource_policies)->Bool
Check if the action is allowed by thie Role
.
action
kwargs
resources
(path, resource, access)
from the call where the path
is the path to the resource in the arguments, resource
is the resource itself,
and access
is a ResourceAccess
for how the method will use the resource.user_check = lambda user: True
context
PolicyContext
for this check. context.context
is the context for evaluating substitutions - it defines the values available.policies
policies(ctx:PolicyContext)
returns an iterable of ResourceUsesPolicy(models.Model)
giving the policies for this method.ignore_resource_policies
for_context()
Role overrides this to provide:
.api_id
, .urn
, .owning_user
.created_roles
Role
being checked(path, resource, access)
of all resources used in the callThis enum specifies how a resource is being accessed by a method.
.Public
describe_user_brief
, for example..Read
describe_user
, for example..Full
modify_user
for example.