laye 0.1.0

A framework-agnostic role and permission based access control library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

//! The [`Principal`] trait that callers implement on their auth type.

/// Represents an authenticated (or guest) caller.
///
/// Implement this trait on your own auth info struct — a decoded JWT payload, a loaded database
/// row, or any other type that carries identity and permission data.
///
/// `Principal` is object-safe: all methods take `&self` with no generics, enabling
/// `&dyn Principal` usage inside [`AccessRule::Custom`](crate::AccessRule::Custom).
///
/// # Examples
///
/// ```
/// use laye::Principal;
///
/// #[derive(Clone)]
/// struct MyUser {
///     roles: Vec<String>,
///     permissions: Vec<String>,
///     authenticated: bool,
/// }
///
/// impl Principal for MyUser {
///     fn roles(&self) -> &[String] { &self.roles }
///     fn permissions(&self) -> &[String] { &self.permissions }
///     fn is_authenticated(&self) -> bool { self.authenticated }
/// }
///
/// let user = MyUser {
///     roles: vec!["editor".to_string()],
///     permissions: vec!["posts:write".to_string()],
///     authenticated: true,
/// };
///
/// assert!(user.has_role("editor"));
/// assert!(!user.has_role("admin"));
/// assert!(user.has_permission("posts:write"));
/// assert!(!user.has_permission("posts:delete"));
/// ```
pub trait Principal {
    /// Returns the roles assigned to this principal.
    fn roles(&self) -> &[String];

    /// Returns the permissions granted to this principal.
    fn permissions(&self) -> &[String];

    /// Returns `true` if this principal is authenticated.
    ///
    /// A principal can be authenticated with zero roles or permissions. Conversely, you can
    /// pass a guest struct as `Some(&guest)` with this returning `false` to satisfy
    /// [`AccessRule::Guest`](crate::AccessRule::Guest) while still providing a principal value.
    fn is_authenticated(&self) -> bool;

    /// Returns `true` if `role` appears in [`roles`](Self::roles).
    fn has_role(&self, role: &str) -> bool {
        self.roles().iter().any(|r| r == role)
    }

    /// Returns `true` if `permission` appears in [`permissions`](Self::permissions).
    fn has_permission(&self, permission: &str) -> bool {
        self.permissions().iter().any(|p| p == permission)
    }
}