pep.pl -- SWISH PEP (Policy Enforcement Point)
This module implements the Policy Enforcement Point. It is called by modules that perform operations that may not be publically accessible. Examples are:
- Access to files (download, create, update, delete, list, search)
- Control of the sandboxing
- Access to users (profile management)
- authorized(+Action, +Options) is det
- Verify that Action is authorized. Options:
- Indentity is the identity dict as collected by
- Gitty store actions
- Attempt to download Obj, one of
hash(Hash)in Format, see storage_get/4 from storage.pl
- Create file name File with the given meta-data. Named is one
randomand indicates whether the file is named by the user or the name is generated by the system.
- Update File and change meta-data from PrevMeta to Meta.
- Delete File that has the given meta data.
- File actions
- Update (save) a physical file outside the versioned gitty store.
- Social options
- Open websocket chat channel
- Post a chat message about a specific topic
- ws_authorized(+Action, +WSUser) is semidet
- True when WSUser is allowed to perform action. WSUser is a dict
containing the user info as provided by chat_add_user_id/3. It
notably has a key
profile_idif the user is logged on.
- approve(+Action, +Id)[multifile]
- deny(+Action, +Id)[multifile]
- swish_config:approve(+Action, +Identity, -Approve) is semidet[multifile]
- This hook is called by approve/2 and deny/2 before the default
rules. If this hook succeeds it must unify Approve with
false. Action is approved if Approve is
- pengines:not_sandboxed(+User, +Application) is semidet[multifile]
- Called by Pengines to see whether User may call non-sandboxed operations in Application.