mirror of
https://github.com/zitadel/zitadel.git
synced 2025-08-11 15:27:33 +00:00
6d98b33c56
# Which Problems Are Solved Currently the username uniqueness is on instance level, we want to achieve a way to set it at organization level. # How the Problems Are Solved Addition of endpoints and a resource on organization level, where this setting can be managed. If nothing it set, the uniqueness is expected to be at instance level, where only users with instance permissions should be able to change this setting. # Additional Changes None # Additional Context Includes #10086 Closes #9964 --------- Co-authored-by: Marco A. <marco@zitadel.com>
76 lines
3.3 KiB
Go
76 lines
3.3 KiB
Go
package domain
|
|
|
|
import "context"
|
|
|
|
type Permissions struct {
|
|
Permissions []string
|
|
}
|
|
|
|
func (p *Permissions) AppendPermissions(ctxID string, permissions ...string) {
|
|
for _, permission := range permissions {
|
|
p.appendPermission(ctxID, permission)
|
|
}
|
|
}
|
|
|
|
func (p *Permissions) appendPermission(ctxID, permission string) {
|
|
if ctxID != "" {
|
|
permission = permission + ":" + ctxID
|
|
}
|
|
for _, existingPermission := range p.Permissions {
|
|
if existingPermission == permission {
|
|
return
|
|
}
|
|
}
|
|
p.Permissions = append(p.Permissions, permission)
|
|
}
|
|
|
|
type PermissionCheck func(ctx context.Context, permission, resourceOwnerID, aggregateID string) (err error)
|
|
|
|
const (
|
|
PermissionUserWrite = "user.write"
|
|
PermissionUserRead = "user.read"
|
|
PermissionUserDelete = "user.delete"
|
|
PermissionUserCredentialWrite = "user.credential.write"
|
|
PermissionSessionWrite = "session.write"
|
|
PermissionSessionRead = "session.read"
|
|
PermissionSessionLink = "session.link"
|
|
PermissionSessionDelete = "session.delete"
|
|
PermissionOrgRead = "org.read"
|
|
PermissionIDPRead = "iam.idp.read"
|
|
PermissionOrgIDPRead = "org.idp.read"
|
|
PermissionProjectWrite = "project.write"
|
|
PermissionProjectRead = "project.read"
|
|
PermissionProjectDelete = "project.delete"
|
|
PermissionProjectGrantWrite = "project.grant.write"
|
|
PermissionProjectGrantRead = "project.grant.read"
|
|
PermissionProjectGrantDelete = "project.grant.delete"
|
|
PermissionProjectRoleWrite = "project.role.write"
|
|
PermissionProjectRoleRead = "project.role.read"
|
|
PermissionProjectRoleDelete = "project.role.delete"
|
|
PermissionProjectAppWrite = "project.app.write"
|
|
PermissionProjectAppDelete = "project.app.delete"
|
|
PermissionProjectAppRead = "project.app.read"
|
|
PermissionInstanceMemberWrite = "iam.member.write"
|
|
PermissionInstanceMemberDelete = "iam.member.delete"
|
|
PermissionInstanceMemberRead = "iam.member.read"
|
|
PermissionOrgMemberWrite = "org.member.write"
|
|
PermissionOrgMemberDelete = "org.member.delete"
|
|
PermissionOrgMemberRead = "org.member.read"
|
|
PermissionProjectMemberWrite = "project.member.write"
|
|
PermissionProjectMemberDelete = "project.member.delete"
|
|
PermissionProjectMemberRead = "project.member.read"
|
|
PermissionProjectGrantMemberWrite = "project.grant.member.write"
|
|
PermissionProjectGrantMemberDelete = "project.grant.member.delete"
|
|
PermissionProjectGrantMemberRead = "project.grant.member.read"
|
|
PermissionUserGrantWrite = "user.grant.write"
|
|
PermissionUserGrantRead = "user.grant.read"
|
|
PermissionUserGrantDelete = "user.grant.delete"
|
|
PermissionIAMPolicyWrite = "iam.policy.write"
|
|
PermissionIAMPolicyDelete = "iam.policy.delete"
|
|
PermissionPolicyRead = "policy.read"
|
|
)
|
|
|
|
// ProjectPermissionCheck is used as a check for preconditions dependent on application, project, user resourceowner and usergrants.
|
|
// Configurable on the project the application belongs to through the flags related to authentication.
|
|
type ProjectPermissionCheck func(ctx context.Context, clientID, userID string) (err error)
|