MCPcopy
hub / github.com/dgraph-io/dgraph / AuthorizeGuardians

Function AuthorizeGuardians

edgraph/access.go:1147–1171  ·  view source on GitHub ↗

AuthorizeGuardians authorizes the operation for users which belong to Guardians group. NOTE: The caller should not wrap the error returned. If needed, propagate the GRPC error code.

(ctx context.Context)

Source from the content-addressed store, hash-verified

1145// AuthorizeGuardians authorizes the operation for users which belong to Guardians group.
1146// NOTE: The caller should not wrap the error returned. If needed, propagate the GRPC error code.
1147func AuthorizeGuardians(ctx context.Context) error {
1148 if worker.Config.AclSecretKey == nil {
1149 // the user has not turned on the acl feature
1150 return nil
1151 }
1152
1153 userData, err := extractUserAndGroups(ctx)
1154 switch {
1155 case err == x.ErrNoJwt:
1156 return status.Error(codes.PermissionDenied, err.Error())
1157 case err != nil:
1158 return status.Error(codes.Unauthenticated, err.Error())
1159 default:
1160 userId := userData.userId
1161 groupIds := userData.groupIds
1162
1163 if !x.IsSuperAdmin(groupIds) {
1164 // Deny access for members of non-guardian groups
1165 return status.Error(codes.PermissionDenied, fmt.Sprintf("Only guardians are "+
1166 "allowed access. User '%v' is not a member of guardians group.", userId))
1167 }
1168 }
1169
1170 return nil
1171}
1172
1173/*
1174addUserFilterToQuery applies makes sure that a user can access only its own

Callers 6

resolveGuardianAuthFunction · 0.92
HealthMethod · 0.85
StateMethod · 0.85
StreamExtSnapshotMethod · 0.85
AuthSuperAdminFunction · 0.85

Calls 3

IsSuperAdminFunction · 0.92
extractUserAndGroupsFunction · 0.85
ErrorMethod · 0.45

Tested by

no test coverage detected