reinhardt-auth 0.1.2

Authentication and authorization system
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

use std::collections::HashSet;

/// PermissionsMixin trait - Django's PermissionsMixin equivalent
///
/// Provides permission management functionality for user models. This trait can be composed
/// with `BaseUser` or `FullUser` to add Django-style permission checking capabilities.
///
/// # Permission System
///
/// Reinhardt's permission system is inspired by Django's:
/// - Permissions are strings in the format `"app_label.permission_name"` (e.g., `"blog.add_post"`)
/// - Users can have permissions directly assigned or inherit them from groups
/// - Superusers automatically have all permissions
///
/// # Examples
///
/// Implementing PermissionsMixin for a custom user:
///
/// ```
/// use reinhardt_auth::{BaseUser, PermissionsMixin, PasswordHasher};
/// #[cfg(feature = "argon2-hasher")]
/// use reinhardt_auth::Argon2Hasher;
/// use uuid::Uuid;
/// use chrono::{DateTime, Utc};
/// use serde::{Serialize, Deserialize};
///
/// #[derive(Serialize, Deserialize)]
/// struct MyUser {
///     id: Uuid,
///     email: String,
///     password_hash: Option<String>,
///     last_login: Option<DateTime<Utc>>,
///     is_active: bool,
///     is_superuser: bool,
///     user_permissions: Vec<String>,
///     groups: Vec<String>,
/// }
///
/// #[cfg(feature = "argon2-hasher")]
/// impl BaseUser for MyUser {
///     type PrimaryKey = Uuid;
///     type Hasher = Argon2Hasher;
///
///     fn get_username_field() -> &'static str { "email" }
///     fn get_username(&self) -> &str { &self.email }
///     fn password_hash(&self) -> Option<&str> { self.password_hash.as_deref() }
///     fn set_password_hash(&mut self, hash: String) { self.password_hash = Some(hash); }
///     fn last_login(&self) -> Option<DateTime<Utc>> { self.last_login }
///     fn set_last_login(&mut self, time: DateTime<Utc>) { self.last_login = Some(time); }
///     fn is_active(&self) -> bool { self.is_active }
/// }
///
/// impl PermissionsMixin for MyUser {
///     fn is_superuser(&self) -> bool { self.is_superuser }
///     fn user_permissions(&self) -> &[String] { &self.user_permissions }
///     fn groups(&self) -> &[String] { &self.groups }
/// }
///
/// # #[cfg(feature = "argon2-hasher")]
/// # {
/// let mut user = MyUser {
///     id: Uuid::now_v7(),
///     email: "admin@example.com".to_string(),
///     password_hash: None,
///     last_login: None,
///     is_active: true,
///     is_superuser: false,
///     user_permissions: vec!["blog.add_post".to_string(), "blog.edit_post".to_string()],
///     groups: vec![],
/// };
///
/// assert!(user.has_perm("blog.add_post"));
/// assert!(user.has_perm("blog.edit_post"));
/// assert!(!user.has_perm("blog.delete_post"));
///
/// // Superusers have all permissions
/// user.is_superuser = true;
/// assert!(user.has_perm("blog.delete_post"));
/// assert!(user.has_perm("any.permission"));
/// # }
/// ```
pub trait PermissionsMixin: Send + Sync {
	/// Returns whether this user is a superuser
	///
	/// Superusers automatically have all permissions without explicit assignment.
	fn is_superuser(&self) -> bool;

	/// Returns the list of permissions directly assigned to this user
	///
	/// Permissions are typically in the format `"app_label.permission_name"`.
	/// For example: `"blog.add_post"`, `"blog.edit_post"`, `"auth.change_user"`.
	fn user_permissions(&self) -> &[String];

	/// Returns the list of groups this user belongs to
	///
	/// Groups are used to assign permissions to multiple users at once.
	/// This method returns group names or identifiers.
	fn groups(&self) -> &[String];

	/// Returns all permissions directly assigned to this user
	///
	/// This does not include group permissions. Use `get_all_permissions()` for the complete set.
	fn get_user_permissions(&self) -> HashSet<String> {
		self.user_permissions().iter().cloned().collect()
	}

	/// Returns all permissions from groups this user belongs to
	///
	/// When a global `GroupManager` is registered via
	/// [`register_group_manager`](crate::register_group_manager), this method
	/// automatically resolves permissions for the groups returned by
	/// [`groups()`](Self::groups). Otherwise returns an empty set.
	fn get_group_permissions(&self) -> HashSet<String> {
		if let Some(manager) = crate::group_management::get_group_manager() {
			manager.get_permissions_for_groups_sync(self.groups())
		} else {
			HashSet::new()
		}
	}

	/// Returns all permissions for this user (user permissions + group permissions)
	///
	/// This is the union of permissions directly assigned to the user and permissions
	/// inherited from groups.
	fn get_all_permissions(&self) -> HashSet<String> {
		let mut perms = self.get_user_permissions();
		perms.extend(self.get_group_permissions());
		perms
	}

	/// Checks if this user has a specific permission
	///
	/// Superusers always return `true` regardless of the permission.
	/// For other users, checks if the permission exists in their complete permission set.
	///
	/// # Arguments
	///
	/// * `perm` - Permission string in the format `"app_label.permission_name"`
	fn has_perm(&self, perm: &str) -> bool {
		if self.is_superuser() {
			return true;
		}
		self.get_all_permissions().contains(perm)
	}

	/// Checks if this user has all of the specified permissions
	///
	/// Superusers always return `true` regardless of the permissions.
	/// For other users, checks if all permissions exist in their complete permission set.
	///
	/// # Arguments
	///
	/// * `perms` - Slice of permission strings
	fn has_perms(&self, perms: &[&str]) -> bool {
		if self.is_superuser() {
			return true;
		}
		let all_perms = self.get_all_permissions();
		perms.iter().all(|p| all_perms.contains(*p))
	}

	/// Checks if this user has any permission for a specific app/module
	///
	/// Superusers always return `true`.
	/// For other users, checks if they have any permission starting with `"app_label."`.
	///
	/// # Arguments
	///
	/// * `app_label` - The application label (e.g., `"blog"`, `"auth"`)
	fn has_module_perms(&self, app_label: &str) -> bool {
		if self.is_superuser() {
			return true;
		}
		self.get_all_permissions()
			.iter()
			.any(|p| p.starts_with(&format!("{}.", app_label)))
	}
}