Yusuf Sultan
01/04/2024, 12:45 PMYusuf Sultan
01/04/2024, 12:48 PMUser
wants to read
an Article
that has privacy: default
Yusuf Sultan
01/04/2024, 12:48 PMYusuf Sultan
01/04/2024, 12:48 PMoguzhan
default_visibility
(values could be PUBLIC
, PRIVATE
), the policy for the article could look like this;
# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/resource_policies>
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: article
rules:
- name: visibility_present
actions: ["read"]
effect: EFFECT_ALLOW
roles:
- USER
condition:
match:
all:
of:
- expr: has(request.resource.attr.visibility)
- expr: request.resource.attr.visibility == "PUBLIC"
- expr: request.resource.attr.status == "PUBLISHED"
- name: visibility_not_present
actions: ["read"]
effect: EFFECT_ALLOW
roles:
- USER
condition:
match:
all:
of:
- expr: "!has(request.resource.attr.visibility)"
- expr: globals.default_visibility == "PUBLIC"
- expr: request.resource.attr.status == "PUBLISHED"
If the attribute visibility
is available in the resource attributes, decides according to the attribute provided. If visibility
attribute is not present, it uses the default_visibility
global variable.
If you want to toy around with the idea here is the playground link: https://play.cerbos.dev/p/DFsMeI6597c2c2HXAsOLFp43QkRbZ4w6
(using exportVariables instead of globals due to the playground limitations)Yusuf Sultan
01/06/2024, 8:12 AMYusuf Sultan
01/06/2024, 8:12 AM