| 154 | } |
| 155 | |
| 156 | func (cache *AclCache) AuthorizePredicate(groups []string, predicate string, |
| 157 | operation *acl.Operation) error { |
| 158 | ns, attr := x.ParseNamespaceAttr(predicate) |
| 159 | if x.IsAclPredicate(attr) { |
| 160 | return errors.Errorf("only groot is allowed to access the ACL predicate: %s", predicate) |
| 161 | } |
| 162 | |
| 163 | // Check if group has access to all the predicates (using "dgraph.all" wildcard). |
| 164 | if HasAccessToAllPreds(ns, groups, operation) { |
| 165 | return nil |
| 166 | } |
| 167 | if hasAccessToPred(predicate, groups, operation) { |
| 168 | return nil |
| 169 | } |
| 170 | |
| 171 | // no rule has been defined that can match the predicate |
| 172 | // by default we block operation |
| 173 | return errors.Errorf("unauthorized to do %s on predicate %s", |
| 174 | operation.Name, predicate) |
| 175 | |
| 176 | } |
| 177 | |
| 178 | // accessAllPredicate is a wildcard to allow access to all non-ACL predicates to non-superadmin group. |
| 179 | const accessAllPredicate = "dgraph.all" |