# Access Control Demonstration

This example demonstrates a practical access control scenario using `rhailib`. It showcases how a user, Alice, can manage her own data within her Rhai worker, grant specific access rights to another user, Bob, and deny access to an unauthorized user, Charlie.

## Overview

The example involves three key participants:

1.  **Alice (`alice_pk`)**: The owner of the Rhai worker. She runs `alice.rhai` to populate her database with various objects and collections. Some of these are private, while others are explicitly shared with Bob.

2.  **Bob (`bob_pk`)**: A user who has been granted some access rights by Alice. In this example, he attempts to run `bob.rhai`, which tries to write data to Alice's worker.

3.  **Charlie (`charlie_pk`)**: An unauthorized user. He attempts to run `charlie.rhai`, which is identical to Bob's script.

The core of the access control mechanism lies within the `rhailib_worker`. When a script is submitted for execution, the worker automatically enforces that the `CALLER_ID` matches the worker's own `CONTEXT_ID` for any write operations. This ensures that only the owner (Alice) can modify her data.

## Scenario and Expected Outcomes

1.  **Alice Populates Her Database**: Alice's script (`alice.rhai`) runs first. It successfully creates:
    - A private object.
    - An object shared with Bob.
    - A private collection containing a private book and slides that are individually shared with Bob.
    - A shared collection.
    This demonstrates that the owner of the worker can freely write to her own database.

2.  **Bob's Query**: Bob's script (`bob.rhai`) is executed next. The script attempts to create new objects in Alice's database. This operation fails with an `Insufficient authorization` error. The logs will show that `bob_pk` does not match the circle's public key, `alice_pk`.

3.  **Charlie's Query**: Charlie's script (`charlie.rhai`) also fails with the same authorization error, as he is not the owner of the worker.

This example clearly illustrates the built-in ownership and write protection provided by the Rhai worker.

## Running the Example

Ensure Redis is running and accessible at `redis://127.0.0.1/`.

From the `rhailib` root directory, run:
```bash
cargo run --example access_control
```

Observe the logs to see Alice's script complete successfully, followed by the authorization errors for Bob and Charlie, confirming that the access control is working as expected.