Struct SpiceDbRepository 

pub struct SpiceDbRepository { /* private fields */ }

Main SpiceDB client for performing authorization checks.

SpiceDbRepository provides a high-level interface to interact with SpiceDB, a Google Zanzibar-inspired authorization system. It handles connection management, authentication, and permission checking operations.

Architecture

The repository maintains a gRPC connection to a SpiceDB server and provides methods to check whether a subject (e.g., a user) has a specific permission on a resource (e.g., a channel or server).

Examples

use authz::{SpiceDbRepository, SpiceDbConfig, SpiceDbObject, Permissions};

let config = SpiceDbConfig {
    endpoint: "localhost:50051".to_string(),
    token: Some("your-token".to_string()),
};

let repo = SpiceDbRepository::new(config).await?;

// Check if user can view a channel
let result = repo.check_permissions(
    SpiceDbObject::Channel("channel-123".to_string()),
    Permissions::ViewChannels,
    SpiceDbObject::User("user-456".to_string()),
).await;

if result.has_permissions() {
    println!("Access granted!");
}

Implementations

impl SpiceDbRepository

pub async fn new(config: SpiceDbConfig) -> Result<Self, AuthorizationError>

Creates a new SpiceDB client with the given configuration.

This establishes a gRPC connection to the SpiceDB server and sets up authentication using the provided token.

Arguments

• config - Configuration containing the endpoint URL and optional authentication token

Returns

Returns Ok(SpiceDbRepository) on successful connection, or an AuthorizationError::ConnectionError if the connection fails.

Examples

use authz::{SpiceDbRepository, SpiceDbConfig};

let config = SpiceDbConfig {
    endpoint: "localhost:50051".to_string(),
    token: Some("somerandomkey".to_string()),
};

let repo = SpiceDbRepository::new(config).await?;

Errors

This function will return an error if:

• The endpoint URL is invalid
• The connection to SpiceDB cannot be established
• Network issues prevent communication with the server

pub async fn check_permissions( &self, resource: impl Into<SpiceDbObject>, permission: Permissions, subject: impl Into<SpiceDbObject>, ) -> AuthorizationResult

Checks if a subject has a specific permission on a resource.

This is the primary method for performing authorization checks in your application. It evaluates whether the given subject (e.g., a user) has the specified permission on the target resource (e.g., a channel, server, or other object).

How It Works

The method performs the following steps:

1. Converts the resource and subject into SpiceDB object references
2. Sends a gRPC CheckPermission request to SpiceDB
3. SpiceDB evaluates the permission based on defined relationships and rules
4. Returns an AuthorizationResult indicating whether access is granted

Arguments

• resource - The resource being accessed (e.g., SpiceDbObject::Channel("123"))
• permission - The permission being checked (e.g., Permissions::ViewChannels)
• subject - The entity requesting access (e.g., SpiceDbObject::User("456"))

Returns

Returns an AuthorizationResult which can be queried with:

• has_permissions() - Returns true if access is granted
• result() - Returns Ok(()) if granted, or Err(AuthorizationError) if denied

Examples

Basic permission check

use authz::{SpiceDbRepository, SpiceDbObject, Permissions};

let result = repo.check_permissions(
    SpiceDbObject::Channel("general".to_string()),
    Permissions::SendMessages,
    SpiceDbObject::User("alice".to_string()),
).await;

if result.has_permissions() {
    // Allow user to send message
    println!("User can send messages");
} else {
    // Deny access
    println!("User cannot send messages");
}

Using result() for error handling

use authz::{SpiceDbRepository, SpiceDbObject, Permissions, AuthorizationError};

let result = repo.check_permissions(
    SpiceDbObject::Server("server-1".to_string()),
    Permissions::ManageRoles,
    SpiceDbObject::User("bob".to_string()),
).await;

// Returns error if permission denied
result.result()?;

// Continue with authorized action
println!("User is authorized to manage roles");

Checking administrative access

use authz::{SpiceDbRepository, SpiceDbObject, Permissions};

let is_admin = repo.check_permissions(
    SpiceDbObject::Server("my-server".to_string()),
    Permissions::Administrator,
    SpiceDbObject::User("charlie".to_string()),
).await.has_permissions();

if is_admin {
    // Grant full access
}

Performance Considerations

Each call to this method makes a network request to SpiceDB. For high-performance scenarios, consider:

• Caching authorization results when appropriate
• Batching multiple checks when possible
• Using SpiceDB’s consistency guarantees to balance freshness vs. performance

See Also

• check_permissions_raw - Lower-level API with more control
• Permissions - Available permission types
• SpiceDbObject - Resource and subject types

pub async fn check_permissions_raw( &self, resource: impl Into<ObjectReference>, permission: impl Into<String>, subject: impl Into<ObjectReference>, ) -> Result<Permissionship, AuthorizationError>

Performs a raw permission check using SpiceDB object references and string permissions.

This is a lower-level API that provides more flexibility than check_permissions. It allows you to specify permissions as strings and use custom object references directly, which can be useful for:

• Custom permission types not defined in the Permissions enum
• Dynamic permission names determined at runtime
• Direct integration with SpiceDB’s native types

Arguments

• resource - The resource object reference (must implement Into<ObjectReference>)
• permission - The permission name as a string (e.g., “view”, “edit”, “admin”)
• subject - The subject object reference (must implement Into<ObjectReference>)

Returns

Returns a Result containing:

• Ok(Permissionship) - The permission status from SpiceDB:
  • Permissionship::HasPermission - Access is granted
  • Permissionship::NoPermission - Access is denied
  • Permissionship::ConditionalPermission - Access depends on additional context
• Err(AuthorizationError::Unauthorized) - The check failed or was denied

Examples

Custom permission check

use authz::{SpiceDbRepository, authzed::api::v1::ObjectReference};

let resource = ObjectReference {
    object_type: "document".to_string(),
    object_id: "doc-123".to_string(),
};

let subject = ObjectReference {
    object_type: "user".to_string(),
    object_id: "user-456".to_string(),
};

let permissionship = repo.check_permissions_raw(
    resource,
    "edit",
    subject,
).await?;

match permissionship {
    authz::authzed::api::v1::check_permission_response::Permissionship::HasPermission => {
        println!("Permission granted");
    }
    _ => {
        println!("Permission denied");
    }
}

Dynamic permission names

use authz::{SpiceDbRepository, SpiceDbObject};

let permission_name = format!("can_{}", action);

let result = repo.check_permissions_raw(
    SpiceDbObject::Channel(resource_id.to_string()),
    permission_name,
    SpiceDbObject::User(user_id.to_string()),
).await?;

Ok(result.has_permissions())

Errors

This function will return an error if:

• The gRPC connection to SpiceDB fails
• The request times out
• The permission check is denied (returns AuthorizationError::Unauthorized)

See Also

• check_permissions - Higher-level, type-safe API
• SpiceDB CheckPermission API

Trait Implementations

impl Clone for SpiceDbRepository

fn clone(&self) -> SpiceDbRepository

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.