pax0s3
01/04/2024, 7:41 PM/** user represents a user */
definition user {}
/** superadmin represents superadmins */
definition platform {
relation administrator: user
}
caveat if_org_public(visibility string) {
visibility == "org_public"
}
/** organization represents an organization that contains projects */
definition organization {
relation orgplatform: platform
/** administrator indicates that the user is an admin of the org */
relation administrator: user
relation member: user
/** Allow any user to view this organization if the visibility is public */
relation public_viewer: user:*
permission admin = administrator + orgplatform->admin
permission view = member + admin + public_viewer
permission create_project = member + admin
permission delete_project = member + admin
permission add_user = admin
permission remove_user = admin
permission set_visibility = admin
}
/** project represents a project with access control */
definition project {
/** projectorg indicates that the organization owns this project */
relation projectorg: organization
/** Allow any user to view this project if the visibility is public */
relation public_viewer: user:*
/** Allow any user in projectorg to view this project if the visibility is org_public */
relation org_public_viewer: organization#view with if_org_public
relation administrator: user
relation reader: user
relation writer: user
/** implict perm to group admin, not used in application code! */
permission admin = projectorg->administrator + administrator
// admin perms
permission add_member = admin
permission remove_member = admin
permission update_member_permissions = admin
permission set_visibility = admin
// regular perms
permission view = admin + reader + public_viewer + org_public_viewer