Expand description

Procedural macros for checking user permissions or roles.

Examples

use actix_web::{web, get, HttpResponse};
use actix_web_grants::proc_macro::{has_permissions, has_roles};
use actix_web::http::StatusCode;
use actix_web::body::BoxBody;

// User should be ADMIN with OP_GET_SECRET permission
#[has_permissions["ROLE_ADMIN", "OP_GET_SECRET"]]
async fn macro_secured() -> HttpResponse {
    HttpResponse::Ok().body("some secured info")
}

// Role - is permission with prefix "ROLE_".
// User should be ADMIN and MANAGER
#[has_roles["ADMIN", "MANAGER"]]
async fn role_macro_secured() -> HttpResponse {
    HttpResponse::Ok().body("some secured info")
}

// Custom access denied message.
#[has_roles("ADMIN", error = "access_denied")]
async fn role_access() -> HttpResponse {
    HttpResponse::Ok().body("some secured info")
}
// Non-admin role accessor will receive this response.
// The return type of the custom function must be `actix web::HttpResponse`.
fn access_denied() -> HttpResponse {
    HttpResponse::with_body(
        StatusCode::FORBIDDEN,
        BoxBody::new("This resource allowed only for ADMIN"),
    )
}

// Additional security condition to ensure the protection of the endpoint
#[has_roles("USER", secure = "user_id.into_inner() == user.id")]
#[get("/resource/{user_id}")]
async fn role_macro_secured_with_params(user_id: web::Path<i32>, user: web::Data<User>) -> HttpResponse {
    HttpResponse::Ok().body("some secured info with parameters")   
}
struct User { id: i32 }

// You own type is also supported (need to configure middleware for this type as well):
#[has_roles["Role::Admin", "Role::Manager", type = "Role"]]
async fn role_enum_macro_secured() -> HttpResponse {
    HttpResponse::Ok().body("some secured info")
}
#[derive(PartialEq, Clone)] // required bounds
enum Role { Admin, Manager }

Attribute Macros

  • Macro to сheck that the user has any of the specified permissions.
  • Macro to сheck that the user has any the specified roles. Role - is permission with prefix “ROLE_”.
  • Macro to сheck that the user has all the specified permissions. Allow to add a conditional restriction based on handlers parameters. Add the secure attribute followed by the the boolean expression to validate based on parameters
  • Macro to сheck that the user has all the specified roles. Role - is permission with prefix “ROLE_”.