attribute
.
Boolean
data type is an excellent choice.
is_public
is defined as a boolean attribute. If an attribute is a boolean, it can be directly used without the need for a rule. This is only applicable for boolean types.
is_public
attribute of the repository is set to true, everyone can view it. If it’s not public (i.e., is_public
is false), only the owner, in this case user:1
, can view it.
The permissions in this model are defined as such:
permission view = is_public or owner
This means that the ‘view’ permission is granted if either the repository is public (is_public
is true) or if the current user is the owner of the repository.
relationships:
check*{snapshot}*{schema*version}*{context}\_post:1$is_public
→ truecheck*{snapshot}*{schema*version}*{context}\_post:1#admin@user:1
→ trueday_of_week
) must not be a weekend (determined by the is_weekday
rule), and the user must be a member of the organization that owns the repository.
Relationships:
check*{snapshot}*{schema*version}*{context}\_organization:1$is_weekday(valid_weekdays)
→ truecheck*{snapshot}*{schema*version}*{context}\_post:1#member@user:1
→ trueuser
and account
.
user
: Represents a customer of the bank.account
: Represents a bank account that has an owner
(which is a user
), and a balance
(amount of money in the account).withdraw
permission to be granted. In other words, a user can withdraw money from an account only if they are the owner of that account, and the amount they want to withdraw is within the account balance and doesn’t exceed 5000.
Relationships
check*{snapshot}*{schema*version}*{context}\_account:1$check_balance(balance)
→ truecheck*{snapshot}*{schema*version}*{context}\_account:1#owner@user:1
→ trueemployee
: Represents an individual worker. It has no specific attributes or relations in this case.organization
: Represents an entire organization, which has a founding_year
attribute. The view
permission is granted if the check_founding_year
rule (which checks if the organization was founded after 2000) returns true.department
: Represents a department within the organization. It has a budget
attribute and a relation to its parent organization
. The view
permission is granted if the department’s budget is more than 10,000 (checked by the check_budget
rule) and if the organization.view
permission is true.organization.view
). However, you cannot use the attribute of a relation in this way. For example, you cannot directly reference organization.founding_year
in a permission expression. Permissions can depend on permissions in a related entity, but not directly on the related entity’s attributes.
check*{snapshot}*{schema*version}*{context}\_department:1$check_budget(budget)
→ truecheck*{snapshot}*{schema*version}*{context}\_organization:2$check_founding_year(founding_year)
→ falsecheck*{snapshot}*{schema*version}*{context}\_organization:1$check_founding_year(founding_year)
→ truecheck*{snapshot}*{schema*version}*{context}\_organization:1#admin@user:1
→ truecheck*{snapshot}*{schema*version}*{context}\_organization:1$check_ip_range(ip_range)
→ truedelete
permission rule is set. It calls the function is_weekday
with the value of valid_weekdays
from the related entity. If is_weekday(["monday", "tuesday", "wednesday", "thursday", "friday"])
is true, the delete permission is granted.
Create Validation File