Skip to main content

nest_rs_authz/
lib.rs

1//! CASL-style authorization — transport-agnostic engine plus feature-gated
2//! transport bindings.
3//!
4//! An [`AbilityFactory`] builds an [`Ability`] for the app's actor, which
5//! answers three questions backed by one shared [`Predicate`] (so they can't
6//! drift apart): `can` (gate an action), `condition_for` (lower rules to a
7//! `sea_orm::Condition` for row-level filtering), and `mask` (strip
8//! disallowed instances + fields from a response).
9//!
10//! Bindings: [`http`], [`graphql`], [`mcp`]. The data-coupled bindings
11//! (`Bind`, the GraphQL `bind` helper, `LoaderScope`, `WsDataContext`) live in
12//! `nestrs-seaorm` so the engine stays free of a data-layer dependency.
13
14mod ability;
15mod action;
16mod builder;
17mod context;
18mod factory;
19mod mask;
20mod predicate;
21mod subject;
22
23pub use ability::{Ability, FieldSet};
24pub use action::{Action, ActionMarker, Create, Delete, Manage, Read, Update};
25pub use builder::{AbilityBuilder, RuleSpec};
26pub use context::{current_ability, with_ability};
27pub use factory::AbilityFactory;
28pub use mask::masked_output_ambient;
29pub use predicate::{Predicate, PredicateBuilder};
30pub use subject::Subject;
31
32#[cfg(feature = "graphql")]
33pub mod graphql;
34#[cfg(feature = "http")]
35pub mod http;
36#[cfg(feature = "mcp")]
37pub mod mcp;