7.0.1826-testing
In this page
  1. Function permissions decorator
  2. Standard defaults roles
  3. Default init of roles
  4. Making a public accessible app

Permissions

GreyCat relies on a Role Based Access Control (RBAC) to enforce fine-grain security controls.

Permissions are simply rights to read or write within a particular resource.

Permission is then associated with the user through the notion of roles.

Roles are simply collections of permissions associated with various Users.

One user can only be linked to a single Role.

GreyCat standard library already defined a few:

Permission Description
public Default, associated with anonymous users.
admin Allows to administrate anything on the server.
api Allows access to exposed functions.
debug Allows access to low-level graph manipulation functions.
files Allows access to files under /files/ & /webroot/ according to ACL.

Function permissions decorator

Permission must be declared in a decorator of at least of function in the program.

The following snippet illustrates the syntax:

@expose
@permission("api")
native fn modules(): Array<ModDesc>;

Now the function modules can only be called by a user who has the permission api in his token.

Several permissions can be composed in the same decorator, and then the semantic applied is a OR, as follows:

@permission("super", "normal")
fn test(){
    if(User::hasPermission("normal")){
        // normal user
    } else {
        // super
    }
}

The test can now be applied by a users which has either super or normal permission.

In case the permission influences the result, it can be dynamically checked by the helper hasPermission.

The same helper exists in SDK like TS for WebApplication that need

if (greycat.default.hasPermission('normal')) {
  // call rpc
}

Permission is therefore the checkpoint that developers should rely on for adaptative applications.

Roles should only be used for configuration and never for dynamic checks!

Standard defaults roles

By default the standard library defines some roles that are pre-configured to ease all standard usages.

The public role is associated with any anonymous user

Role Permissions
public public
admin public, admin, api, debug, files
user public, api, files

Default init of roles

Most applications need to define in addition to standard roles their permissions.

@permission("foo", "The description for my custom permission");

// The first value is the name of the role, the rest are its permissions
@role("custom", "foo");

Making a public accessible app

If you wish to make you app accessible to the public, since any user that isn’t logged is a anonymous user with the public role, you just need to adjust the default permissions.

@role("public", "api", "files");

Public api

If you just want an public accessible api it’s even easier just make the endpoint public

@expose
@permission("public")
fn hello(name :String) :String {
  return "Hello ${name}"
}