Skip to main content

rustauth_plugins/organization/
access.rs

1//! Default organization access-control roles.
2
3use crate::access::{
4    create_access_control, statements, AccessControl, AccessError, Role, Statements,
5};
6use std::collections::BTreeMap;
7
8/// Default organization plugin permission statements.
9pub fn default_statements() -> Statements {
10    statements([
11        ("organization", vec!["update", "delete"]),
12        ("member", vec!["create", "update", "delete"]),
13        ("invitation", vec!["create", "cancel"]),
14        ("team", vec!["create", "update", "delete"]),
15        ("ac", vec!["create", "read", "update", "delete"]),
16        ("apiKey", vec!["create", "read", "update", "delete"]),
17    ])
18}
19
20/// Default organization plugin access-control policy.
21pub fn default_access_control() -> Result<AccessControl, AccessError> {
22    create_access_control(default_statements())
23}
24
25/// Default organization admin role.
26pub fn admin_role() -> Result<Role, AccessError> {
27    default_access_control()?.new_role(statements([
28        ("organization", vec!["update"]),
29        ("invitation", vec!["create", "cancel"]),
30        ("member", vec!["create", "update", "delete"]),
31        ("team", vec!["create", "update", "delete"]),
32        ("ac", vec!["create", "read", "update", "delete"]),
33        ("apiKey", vec!["create", "read", "update", "delete"]),
34    ]))
35}
36
37/// Default organization owner role.
38pub fn owner_role() -> Result<Role, AccessError> {
39    default_access_control()?.new_role(statements([
40        ("organization", vec!["update", "delete"]),
41        ("member", vec!["create", "update", "delete"]),
42        ("invitation", vec!["create", "cancel"]),
43        ("team", vec!["create", "update", "delete"]),
44        ("ac", vec!["create", "read", "update", "delete"]),
45        ("apiKey", vec!["create", "read", "update", "delete"]),
46    ]))
47}
48
49/// Default organization member role.
50pub fn member_role() -> Result<Role, AccessError> {
51    default_access_control()?.new_role(statements([
52        ("organization", Vec::<&str>::new()),
53        ("member", Vec::<&str>::new()),
54        ("invitation", Vec::<&str>::new()),
55        ("team", Vec::<&str>::new()),
56        ("ac", vec!["read"]),
57        ("apiKey", Vec::<&str>::new()),
58    ]))
59}
60
61/// Default organization plugin role map.
62pub fn default_roles() -> Result<BTreeMap<String, Role>, AccessError> {
63    Ok(BTreeMap::from([
64        ("admin".to_string(), admin_role()?),
65        ("owner".to_string(), owner_role()?),
66        ("member".to_string(), member_role()?),
67    ]))
68}