Permissions handling

[thibaudbenoist]

Hi @ivan-borovets and thank you very much for this very interesting sample.
I try to understand really clearly the permission system you implemented in your sample. Is it based on classic pattern ? Could you give references to read about this topic ?
BR Thibaud

[ivan-borovets]

Hello, Thibaud!

I didn’t design it around any specific "classic pattern", but the idea is close to a Specification-like approach: explicit authorization rules evaluated against a context. For many projects, especially as a starting point, in-process authorization like this can be more than enough. And honestly, I rarely see "pure" RBAC/ReBAC/ABAC in real projects - authorization is usually shaped by business needs.

One can also see a guard-style API, where the action is encoded in the method name - check_can_<do>(context). For fine-grained enterprise authorization, one possible approach is to rely on an external Policy Decision Point (e.g. OPA) - then you add an application port to that PDP and delegate decisions to it.