Skip to content

add 'inherit' permission to gnomod.toml vocab #4532

New issue
New issue
Open
Open
add 'inherit' permission to gnomod.toml vocab#4532
@stackdump

Description

@stackdump
stackdump
opened on Jul 18, 2025

Description

Inheritable Permissions on Gno.land (with gnomod.toml)

By adding an inherit option for module-level permissions—configured in the new gnomod.toml at the root of a realm/module—we promote access control to a higher level set of contorls.

gnomod.toml

module = "gno.land/r/stackdump000"
private = true

module = "gno.land/r/stackdump000/subrealm"
inherit = true

– /r/stackdump000 is set to private
– /r/stackdump000/subrealm/ declares inherit, meaning it doesn’t override but follows the parent’s rules.
– All writes are restricted by the parent realm and must originate from within its hierarchy.

This moves realm-based permissions up a level, enabling parent realms to delegate and enforce write access without exposing global permissions.

Current solution

This could replace the current pattern I'm using in a few places

func init() {
	realmAllowPrefix = append(realmAllowPrefix, std.CurrentRealm().PkgPath()+"/patch")
}

func hasAllowedPrefix() bool {
	currentRealm := std.CurrentRealm()
	for _, callerPath := range realmAllowPrefix {
		if strings.HasPrefix(currentRealm.PkgPath(), callerPath) {
			return true
		}
	}
	return false
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    🧙‍♂️gno.land core team

    Status

    Triage

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions