Struct AccessScope 

pub struct AccessScope { /* private fields */ }

A disjunction (OR) of scope constraints defining what data is accessible.

Each constraint is an independent access path (OR-ed). Filters within a constraint are AND-ed. An unconstrained scope bypasses row-level filtering.

Examples

use modkit_security::access_scope::{AccessScope, ScopeConstraint, ScopeFilter, pep_properties};
use uuid::Uuid;

// deny-all (default)
let scope = AccessScope::deny_all();
assert!(scope.is_deny_all());

// single tenant
let tid = Uuid::new_v4();
let scope = AccessScope::for_tenant(tid);
assert!(!scope.is_deny_all());
assert!(scope.contains_uuid(pep_properties::OWNER_TENANT_ID, tid));

Implementations

impl AccessScope

pub fn from_constraints(constraints: Vec<ScopeConstraint>) -> Self

Create an access scope from a list of constraints (OR-ed).

pub fn single(constraint: ScopeConstraint) -> Self

Create an access scope with a single constraint.

pub fn allow_all() -> Self

Create an “allow all” (unconstrained) scope.

This represents a legitimate PDP decision with no row-level filtering. Not a bypass — it’s a valid authorization outcome.

pub fn deny_all() -> Self

Create a “deny all” scope (no access).

pub fn for_tenants(ids: Vec<Uuid>) -> Self

Create a scope for a set of tenant IDs.

pub fn for_tenant(id: Uuid) -> Self

Create a scope for a single tenant ID.

pub fn for_resources(ids: Vec<Uuid>) -> Self

Create a scope for a set of resource IDs.

pub fn for_resource(id: Uuid) -> Self

Create a scope for a single resource ID.

pub fn constraints(&self) -> &[ScopeConstraint]

The constraints in this scope (OR-ed).

pub fn is_unconstrained(&self) -> bool

Returns true if this scope is unconstrained (allow-all).

pub fn is_deny_all(&self) -> bool

Returns true if this scope denies all access.

A scope is deny-all when it is not unconstrained and has no constraints.

pub fn all_values_for(&self, property: &str) -> Vec<&ScopeValue>

Collect all values for a given property across all constraints.

pub fn all_uuid_values_for(&self, property: &str) -> Vec<Uuid>

Collect all UUID values for a given property across all constraints.

Convenience wrapper — skips non-UUID values.

pub fn contains_value(&self, property: &str, value: &ScopeValue) -> bool

Check if any constraint has a filter matching the given property and value.

pub fn contains_uuid(&self, property: &str, id: Uuid) -> bool

Check if any constraint has a filter matching the given property and UUID.

pub fn has_property(&self, property: &str) -> bool

Check if any constraint references the given property.

Trait Implementations

impl Clone for AccessScope

fn clone(&self) -> AccessScope

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for AccessScope

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for AccessScope

fn default() -> Self

Default is deny-all: no constraints and not unconstrained.

impl PartialEq for AccessScope

fn eq(&self, other: &AccessScope) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for AccessScope