-
Notifications
You must be signed in to change notification settings - Fork 4.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Co-authored-by: Colin Seymour <colin@github.com>
- Loading branch information
Showing
8 changed files
with
440 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
actor User { } | ||
|
||
resource Organization { | ||
permissions = [ | ||
"read", | ||
"read_details", | ||
"view_members", | ||
"manage_members", | ||
"set_default_role", | ||
"create_repositories", | ||
"delete" | ||
]; | ||
roles = ["admin", "member"]; | ||
|
||
"read_details" if "member"; | ||
"view_members" if "member"; | ||
"create_repositories" if "member"; | ||
|
||
"member" if "admin"; | ||
"manage_members" if "admin"; | ||
"set_default_role" if "admin"; | ||
"delete" if "admin"; | ||
} | ||
|
||
resource Repository { | ||
permissions = [ | ||
"read", "create", "update", "delete", | ||
"invite", "write", | ||
"manage_jobs", "manage_issues", "create_issues", | ||
"view_members", "manage_members" | ||
]; | ||
roles = ["reader", "admin", "maintainer", "editor"]; | ||
relations = { organization: Organization }; | ||
|
||
"reader" if "member" on "organization"; | ||
"admin" if "admin" on "organization"; | ||
"reader" if "editor"; | ||
"editor" if "maintainer"; | ||
"maintainer" if "admin"; | ||
|
||
# reader permissions | ||
"read" if "reader"; | ||
"create_issues" if "reader"; | ||
|
||
# editor permissions | ||
"write" if "editor"; | ||
"manage_jobs" if "editor"; | ||
"manage_issues" if "editor"; | ||
"view_members" if "maintainer"; | ||
|
||
# admin permissions | ||
"manage_members" if "admin"; | ||
"update" if "admin"; | ||
"delete" if "admin"; | ||
"invite" if "admin" ; | ||
} | ||
|
||
resource Issue { | ||
permissions = ["read", "comment", "close"]; | ||
roles = ["reader", "admin", "creator"]; | ||
relations = { repository: Repository }; | ||
|
||
"reader" if "reader" on "repository"; | ||
"admin" if "admin" on "repository"; | ||
|
||
"read" if "reader"; | ||
"comment" if "admin"; | ||
"close" if "creator"; | ||
"close" if "admin"; | ||
} | ||
|
||
has_permission(_: Actor, "read", repo: Repository) if | ||
is_public(repo); | ||
|
||
|
||
has_permission(actor: Actor, "delete", repo: Repository) if | ||
has_role(actor, "member", repo) and | ||
is_protected(repo, false); | ||
|
||
|
||
# readers can only comment on open issues | ||
has_permission(actor: Actor, "comment", issue: Issue) if | ||
has_permission(actor, "read", issue) and | ||
is_closed(issue, false); | ||
|
||
|
||
# Misc rules: | ||
## All organizations are public | ||
has_permission(_: User, "read", _: Organization); | ||
has_permission(_: User, "create", "Organization"); | ||
## Users can read all users | ||
has_permission(_: User, "read", _: User); | ||
## Users can only read their own profiles | ||
has_permission(user: User, "read_profile", user: User); | ||
has_permission(_: User, "read_profile", _: User); | ||
|
||
|
||
# Complex rules | ||
|
||
|
||
# Actors inherit roles from groups | ||
has_role(user: User, role: String, resource: Resource) if | ||
group matches Group and | ||
has_group(user, group) and | ||
has_role(group, role, resource); | ||
|
||
# Nested group | ||
has_group(user: User, group: Group) if | ||
g matches Group and | ||
has_group(user, g) and | ||
has_group(g, group); | ||
|
||
# A custom role is defined by the permissions it grants | ||
has_permission(actor: Actor, action: String, org: Organization) if | ||
role matches Role and | ||
has_role(actor, role, org) and | ||
grants_permission(role, action); | ||
|
||
has_role(actor: Actor, role: String, repo: Repository) if | ||
org matches Organization and | ||
has_relation(repo, "organization", org) and | ||
has_default_role(org, role) and | ||
has_role(actor, "member", org); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
allow(actor, action, resource) if | ||
has_permission(actor, action, resource); | ||
|
||
# Users can see each other. | ||
has_permission(_: User, "read", _: User); | ||
|
||
# A User can read their own profile. | ||
has_permission(_: User{id: id}, "read_profile", _:User{id: id}); | ||
|
||
# Any logged-in user can create a new org. | ||
has_permission(_: User, "create", _: Org); | ||
|
||
actor User {} | ||
|
||
resource Org { | ||
roles = ["owner", "member"]; | ||
permissions = [ | ||
"read", | ||
"create_repos", | ||
"list_repos", | ||
"create_role_assignments", | ||
"list_role_assignments", | ||
"update_role_assignments", | ||
"delete_role_assignments", | ||
]; | ||
|
||
"read" if "member"; | ||
"list_repos" if "member"; | ||
"list_role_assignments" if "member"; | ||
|
||
"create_repos" if "owner"; | ||
"create_role_assignments" if "owner"; | ||
"update_role_assignments" if "owner"; | ||
"delete_role_assignments" if "owner"; | ||
|
||
"member" if "owner"; | ||
} | ||
|
||
has_role(user: User, name: String, org: Org) if | ||
role in user.org_roles and | ||
role matches { name: name, org: org }; | ||
|
||
resource Repo { | ||
roles = ["admin", "maintainer", "reader"]; | ||
permissions = [ | ||
"read", | ||
"create_issues", | ||
"list_issues", | ||
"create_role_assignments", | ||
"list_role_assignments", | ||
"update_role_assignments", | ||
"delete_role_assignments", | ||
]; | ||
relations = { parent: Org }; | ||
|
||
"create_role_assignments" if "admin"; | ||
"list_role_assignments" if "admin"; | ||
"update_role_assignments" if "admin"; | ||
"delete_role_assignments" if "admin"; | ||
|
||
|
||
"read" if "reader"; | ||
"list_issues" if "reader"; | ||
"create_issues" if "reader"; | ||
|
||
"admin" if "owner" on "parent"; | ||
"reader" if "member" on "parent"; | ||
|
||
"maintainer" if "admin"; | ||
"reader" if "maintainer"; | ||
} | ||
|
||
has_role(user: User, name: String, repo: Repo) if | ||
role in user.repo_roles and | ||
role matches { name: name, repo: repo }; | ||
|
||
has_relation(org: Org, "parent", repo: Repo) if repo.org = org; | ||
|
||
resource Issue { | ||
roles = ["creator"]; | ||
permissions = ["read", "close"]; | ||
relations = { parent: Repo }; | ||
"read" if "reader" on "parent"; | ||
"close" if "maintainer" on "parent"; | ||
"close" if "creator"; | ||
} | ||
|
||
has_relation(repo: Repo, "parent", issue: Issue) if issue.repo = repo; | ||
|
||
has_role(user: User, "creator", issue: Issue) if | ||
issue.creator = user; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Submodule polar-grammar
added at
4262a4
Oops, something went wrong.