herocode/rhailib
12
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
36cf5b7e38
rhailib/examples/access_control
History
timurgordon 36cf5b7e38 change context syntax
2025-06-27 12:09:50 +03:00
..
alice.rhai move dsl's to rhailib 2025-06-25 03:22:03 +02:00
bob.rhai move dsl's to rhailib 2025-06-25 03:22:03 +02:00
charlie.rhai move dsl's to rhailib 2025-06-25 03:22:03 +02:00
circle.rhai move dsl's to rhailib 2025-06-25 03:22:03 +02:00
main.rs change context syntax 2025-06-27 12:09:50 +03:00
README.md change context syntax 2025-06-27 12:09:50 +03:00

README.md

Access Control Demonstration

This example demonstrates a practical access control scenario using rhailib. It showcases how a user, Alice, can manage her own data within her Rhai worker, grant specific access rights to another user, Bob, and deny access to an unauthorized user, Charlie.

Overview

The example involves three key participants:

  1. Alice (alice_pk): The owner of the Rhai worker. She runs alice.rhai to populate her database with various objects and collections. Some of these are private, while others are explicitly shared with Bob.

  2. Bob (bob_pk): A user who has been granted some access rights by Alice. In this example, he attempts to run bob.rhai, which tries to write data to Alice's worker.

  3. Charlie (charlie_pk): An unauthorized user. He attempts to run charlie.rhai, which is identical to Bob's script.

The core of the access control mechanism lies within the rhailib_worker. When a script is submitted for execution, the worker automatically enforces that the CALLER_ID matches the worker's own CONTEXT_ID for any write operations. This ensures that only the owner (Alice) can modify her data.

Scenario and Expected Outcomes

  1. Alice Populates Her Database: Alice's script (alice.rhai) runs first. It successfully creates:

    • A private object.
    • An object shared with Bob.
    • A private collection containing a private book and slides that are individually shared with Bob.
    • A shared collection. This demonstrates that the owner of the worker can freely write to her own database.

  2. Bob's Query: Bob's script (bob.rhai) is executed next. The script attempts to create new objects in Alice's database. This operation fails with an Insufficient authorization error. The logs will show that bob_pk does not match the circle's public key, alice_pk.

  3. Charlie's Query: Charlie's script (charlie.rhai) also fails with the same authorization error, as he is not the owner of the worker.

This example clearly illustrates the built-in ownership and write protection provided by the Rhai worker.

Running the Example

Ensure Redis is running and accessible at redis://127.0.0.1/.

From the rhailib root directory, run:

cargo run --example access_control

Observe the logs to see Alice's script complete successfully, followed by the authorization errors for Bob and Charlie, confirming that the access control is working as expected.