Skip to content

Draft: Allow boolean logic in ability names

mo khan requested to merge mokhax/policy-conventional-names into master

What does this MR do and why?

This change allows encoding boolean logic in ability names using a convention of combining two or more ability names with an _or_ or _and_ to perform ability checks that satisfy the boolean logic.

e.g.

  1. :admin_project_or_read_project will return true when the subject has either the admin_project ability or the read_project ability on the target resource.
  2. admin_project_and_read_project will return true when the subject has both the admin_project ability and the read_project ability.

This change is useful in places like GraphQL mutations that can be executed when one or more permissions is allowed. See !156979 (comment 2004278656) for an example.

#442851 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by mo khan

Merge request reports

Loading