NotAShelf
a3155f54e8
Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: Idc4d0743153c77b4dd915a95a603680f6a6a6964
77 lines
2.1 KiB
Rust
77 lines
2.1 KiB
Rust
//! Role constants and validation for FC
|
|
|
|
/// Global role - full system access
|
|
pub const ROLE_ADMIN: &str = "admin";
|
|
|
|
/// Global role - view only
|
|
pub const ROLE_READ_ONLY: &str = "read-only";
|
|
|
|
/// Global role - can create projects
|
|
pub const ROLE_CREATE_PROJECTS: &str = "create-projects";
|
|
|
|
/// Global role - can evaluate jobsets
|
|
pub const ROLE_EVAL_JOBSET: &str = "eval-jobset";
|
|
|
|
/// Global role - can cancel builds
|
|
pub const ROLE_CANCEL_BUILD: &str = "cancel-build";
|
|
|
|
/// Global role - can restart jobs
|
|
pub const ROLE_RESTART_JOBS: &str = "restart-jobs";
|
|
|
|
/// Global role - can bump jobs to front of queue
|
|
pub const ROLE_BUMP_TO_FRONT: &str = "bump-to-front";
|
|
|
|
/// Project role - full project access
|
|
pub const PROJECT_ROLE_ADMIN: &str = "admin";
|
|
|
|
/// Project role - can manage project settings and builds
|
|
pub const PROJECT_ROLE_MAINTAINER: &str = "maintainer";
|
|
|
|
/// Project role - basic project access
|
|
pub const PROJECT_ROLE_MEMBER: &str = "member";
|
|
|
|
/// All valid global roles
|
|
pub const VALID_ROLES: &[&str] = &[
|
|
ROLE_ADMIN,
|
|
ROLE_READ_ONLY,
|
|
ROLE_CREATE_PROJECTS,
|
|
ROLE_EVAL_JOBSET,
|
|
ROLE_CANCEL_BUILD,
|
|
ROLE_RESTART_JOBS,
|
|
ROLE_BUMP_TO_FRONT,
|
|
];
|
|
|
|
/// All valid project roles
|
|
pub const VALID_PROJECT_ROLES: &[&str] = &[
|
|
PROJECT_ROLE_ADMIN,
|
|
PROJECT_ROLE_MAINTAINER,
|
|
PROJECT_ROLE_MEMBER,
|
|
];
|
|
|
|
/// Check if a global role is valid
|
|
pub fn is_valid_role(role: &str) -> bool {
|
|
VALID_ROLES.contains(&role)
|
|
}
|
|
|
|
/// Check if a project role is valid
|
|
pub fn is_valid_project_role(role: &str) -> bool {
|
|
VALID_PROJECT_ROLES.contains(&role)
|
|
}
|
|
|
|
/// Get the highest project role (for permission checks)
|
|
pub fn project_role_level(role: &str) -> i32 {
|
|
match role {
|
|
PROJECT_ROLE_ADMIN => 3,
|
|
PROJECT_ROLE_MAINTAINER => 2,
|
|
PROJECT_ROLE_MEMBER => 1,
|
|
_ => 0,
|
|
}
|
|
}
|
|
|
|
/// Check if user has required project permission
|
|
/// Higher level roles automatically have lower level permissions
|
|
pub fn has_project_permission(user_role: &str, required: &str) -> bool {
|
|
let user_level = project_role_level(user_role);
|
|
let required_level = project_role_level(required);
|
|
user_level >= required_level
|
|
}
|