pep.pl -- SWISH PEP (Policy Enforcement Point)
This module implements the Policy Enforcement Point. It is called by modules that perform operations that may not be publically accessible. Examples are:
- Access to files (download, create, update, delete, list, search)
- Control of the sandboxing
- Access to users (profile management)
- authorized(+Action, +Options) is det
- Verify that Action is authorized. Options:
- indentity(+Identity)
- Indentity is the identity dict as collected by
autenticate.pl
.
Actions defined:
- Gitty store actions
- gitty(download(Obj,Format))
- Attempt to download Obj, one of
file(File)
orhash(Hash)
in Format, see storage_get/4 from storage.pl - gitty(create(File,Named,Meta))
- Create file name File with the given meta-data. Named is one
of
named
orrandom
and indicates whether the file is named by the user or the name is generated by the system. - gitty(update(File,PrevMeta,Meta))
- Update File and change meta-data from PrevMeta to Meta.
- gitty(delete(File,Meta))
- Delete File that has the given meta data.
- File actions
- file(update(File,Meta))
- Update (save) a physical file outside the versioned gitty store.
- Social options
- chat(open)
- Open websocket chat channel
- chat(post(Message,About))
- Post a chat message about a specific topic
- ws_authorized(+Action, +WSUser) is semidet
- True when WSUser is allowed to perform action. WSUser is a dict
containing the user info as provided by chat_add_user_id/3. It
notably has a key
profile_id
if the user is logged on. - approve(+Action, +Id)[multifile]
- deny(+Action, +Id)[multifile]
- swish_config:approve(+Action, +Identity, -Approve) is semidet[multifile]
- This hook is called by approve/2 and deny/2 before the default
rules. If this hook succeeds it must unify Approve with
true
orfalse
. Action is approved if Approve istrue
. - pengines:not_sandboxed(+User, +Application) is semidet[multifile]
- Called by Pengines to see whether User may call non-sandboxed operations in Application.