pub fn check_cap(acl: &AclMap, caller: &str, cap: &str) -> Result<()>Expand description
Check whether caller has capability cap in acl.
- Normalise
caller(strip fragment from DID-URLs). - Look up the normalised caller directly — if a principal entry, apply and stop.
- Fall back to the
"*"wildcard principal entry. - Explicit deny →
Err; capability absent →Err; no entry →Err.
Group principals (+<handle>.<path>) are not resolved here;
they are expanded by the runtime’s async check_full.
A "*" item inside an Allow set grants all capabilities.