MCPcopy
hub / github.com/dgraph-io/dgraph / AuthorizePredicate

Method AuthorizePredicate

worker/acl_cache.go:156–176  ·  view source on GitHub ↗
(groups []string, predicate string,
	operation *acl.Operation)

Source from the content-addressed store, hash-verified

154}
155
156func (cache *AclCache) AuthorizePredicate(groups []string, predicate string,
157 operation *acl.Operation) error {
158 ns, attr := x.ParseNamespaceAttr(predicate)
159 if x.IsAclPredicate(attr) {
160 return errors.Errorf("only groot is allowed to access the ACL predicate: %s", predicate)
161 }
162
163 // Check if group has access to all the predicates (using "dgraph.all" wildcard).
164 if HasAccessToAllPreds(ns, groups, operation) {
165 return nil
166 }
167 if hasAccessToPred(predicate, groups, operation) {
168 return nil
169 }
170
171 // no rule has been defined that can match the predicate
172 // by default we block operation
173 return errors.Errorf("unauthorized to do %s on predicate %s",
174 operation.Name, predicate)
175
176}
177
178// accessAllPredicate is a wildcard to allow access to all non-ACL predicates to non-superadmin group.
179const accessAllPredicate = "dgraph.all"

Callers 2

authorizePredsFunction · 0.80
TestAclCacheFunction · 0.80

Calls 5

ParseNamespaceAttrFunction · 0.92
IsAclPredicateFunction · 0.92
HasAccessToAllPredsFunction · 0.85
hasAccessToPredFunction · 0.85
ErrorfMethod · 0.45

Tested by 1

TestAclCacheFunction · 0.64