Initial 'as' support in the lace

3 files changed, 13 insertions, 0 deletions

diff --git a/example/gitano-admin/rules/aschecks.lace b/example/gitano-admin/rules/aschecks.lace
new file mode 100644
index 0000000..3623709
--- /dev/null
+++ b/example/gitano-admin/rules/aschecks.lace
@@ -0,0 +1,8 @@
+# Rules for when we're running as another user.
+# Only 'deny' things which are not allowed.
+# If you 'allow' then it will allow the actual operation, not just
+# fail to deny the fact that it's 'as' someone else.
+
+define as_is_admin as_group gitano-admin
+
+deny "You may not run things as another user unless you are an admin" !as_is_admin
diff --git a/example/gitano-admin/rules/core.lace b/example/gitano-admin/rules/core.lace
index 1fcc46a..abb3e6c 100644
--- a/example/gitano-admin/rules/core.lace
+++ b/example/gitano-admin/rules/core.lace
@@ -7,6 +7,9 @@ include global:defines
 # Now, if we're in the admin group, we can always do stuff
 allow "Administrators can do anything" is_admin
 
+# Now let's decide if we can use 'as'
+include global:aschecks if_asanother
+
 # Owners of repositories are allowed to hand it over
 allow "Owners can hand over repositories" is_owner op_setowner
 
diff --git a/example/gitano-admin/rules/defines.lace b/example/gitano-admin/rules/defines.lace
index 870fffc..612d467 100644
--- a/example/gitano-admin/rules/defines.lace
+++ b/example/gitano-admin/rules/defines.lace
@@ -4,6 +4,8 @@
 define is_admin group gitano-admin
 define is_owner owner ${user}
 
+define if_asanother as_user ~.
+
 # Primary repository-related operations
 define op_read operation read
 define op_write operation write