# authorization
Authorization is a _role-based-access-control_ (RBAC) library, to find _permission_ for the logged-_user_ on a _resource_.
A _resource_ can be a _check box_, _button_, or _textarea_ in html page.
Permissions can be used to _enable_/_disable_/_view_/_hide_ components such as checkbox, input text, buttons, ... in html pages.
## mappings of user - roles - permissions
Following two mapping files are used; they are external; they can be edited in any text editor:
* user to roles mapping file (refer [sample_user-roles.json](https://github.com/mohankumaranna/authorization/blob/master/sample_user_roles.json))
* for each resources, a role to permissions mapping is added. (refer [sample_resource_permissions.json](https://github.com/mohankumaranna/authorization/blob/master/sample_resource_permissions.json))
## permissions
A resource can have one or more of the following permission type:
* __C__ reate (also known as Add)
* __R__ ead (aka View)
* __U__ pdate (aka Edit)
* __D__ elete (aka Remove)
## explanations
* __user to roles__ mapping
Let's say, an user to have a view only role, a mapping can be made like:
```
{
"user_id": "1000",
"roles": ["viewer"]
}
Note: More than one role can be assigned within square bracket, like ["viewer", "supervisor"].
```
* __resource's role to permissions__ mapping
Let's say resource is a checkbox. Permission is required to enable/disable it.
role to permissions mapping can be like:
```
{
"resource": "cb_enable",
"description": "enable or disable this checkbox",
"role2permissions": [
{"role": "viewer", "permission": "R", "condition": "{{resource_owner_id}} == {{session_user_id}}" },
{"role": "editor", "permission": "RU", "condition": "{{resource_owner_id}} == {{session_user_id}}" },
{"role": "admin", "permission": "CRUD" }]
}
```
**Note:**
a. In the above JSON notation, for a `cb_enable` resource, three roles to permissions mapping are made.
b. First role is a _viewer_ role, for which, permission is assigned as `R`, that means `READ-ONLY` permission, on a _condition_ that only owner of the resource, can view this check box.
* each resource, when created by an user, s/he becomes owner of it, his/her user id is stored/persisted as owner_id.
* when s/he login the application at later point in time, s/he will be identified through session user details.
* so, a comparision between stored owner_id is made with currently logged user (also referred as session user).
* a `Handlebars Template notation` is used in defining this condition.
* variables in this condition are resolved, and then comparision is done. For now, only simple comparision is possible, such as: `a == b`, `a < b`, ...
c. Second role is an _editor_ role, which is assigned with `RU`, that means `READ and UPDATE` permissions, on condition that only owner of the resource, can view and update.
d. Third role is an _admin_ role, which is assinged with `CRUD`, that means `All permissions: CREATE, READ, UPDATE, DELETE`. No condition is needed here.
## how to use it
Refer sample code below:
```
let mut authzn = Authorization::load("./sample_resource_permissions.json", "./sample_user_roles.json");
let user_id = "1002";
authzn.set_permissions_for(user_id);
let resource = "cb_enable";
let owner_id = "1001";
let mut data = Map::new();
data.insert("resource_owner_id".to_string(), to_json( &owner_id ) );
data.insert("session_user_id".to_string(), to_json( &user_id) );
let mut permitted = authzn.allows_add(&user_id, &resource, &data);
if permitted { println!("CREATE PERMITTED"); } else { println!("Create NOT Permitted");}
permitted = authzn.allows_view(&user_id, &resource, &data);
if permitted { println!("VIEW PERMITTED"); } else { println!("View NOT Permitted");}
permitted = authzn.allows_edit(&user_id, &resource, &data);
if permitted { println!("EDIT PERMITTED"); } else { println!("Edit NOT Permitted"); }
permitted = authzn.allows_delete(&user_id, &resource, &data);
if permitted { println!("DELETE PERMITTED"); } else { println!("Delete NOT Permitted"); }
```
___