Skip to main content

Module guards

rustio_admin::auth

Module guards 

Source
Expand description

Authority guards — server-side enforcement of the rank model.

Every authority mutation (user create / update / delete, future group / permission / recovery flows) routes through one of these pure verdict functions before touching the DB. UI hiding is a courtesy, not a security boundary; the framework refuses unsafe state changes here regardless of what the form said.

The guards encode five invariants:

  1. Self-demote / self-deactivate are blocked. A signed-in user cannot lower their own role nor flip themselves to inactive (matches the existing self-delete rule). Self-keep-rank is fine.

  2. Cross-rank protection. A user cannot edit another user whose role rank is at-or-above their own. Editing one’s own record is not blocked by this guard (the self-* guards cover that), and editing a strictly lower-rank target is allowed.

  3. Role ceiling. A user cannot grant a role with a rank strictly above their own — even to themselves. Equal is allowed (an Admin keeping their own Admin role on save).

  4. Protected-role orphan prevention. Lives in super::would_orphan_protected; the guard wrapper here converts the resolved orphan-role into a clear human message.

  5. (deferred to a later phase) Permission ceiling — a user cannot grant permissions they themselves don’t hold. Today the group routes are gated by Role::Administrator, who bypasses group checks, so this guard is unreachable; reinstate when delegated group management lands.

All five return Error::Forbidden on rejection so the HTTP layer renders a 403 with the supplied reason.

Functions§

enforce_cross_rank_safe
Forbid a user from modifying another user whose role is at-or-above their own. Editing one’s own record is allowed; the self-* guards catch the dangerous cases.
enforce_no_orphan_role
Reject changes that would empty the active-member set for any protected role. Wraps would_orphan_protected and returns a human-readable error naming the role that would be orphaned.
enforce_role_ceiling
Forbid a user from assigning a role with rank strictly greater than their own. Same-rank is allowed so an Admin can re-save another Admin’s record (already-existing target’s rank ladder is covered by enforce_cross_rank_safe).
enforce_self_demote_safe
Forbid a user from saving an edit to their own record that drops their role below its current rank or flips is_active to false. Self-keep-rank is allowed; raising one’s own rank is blocked separately by enforce_role_ceiling.