PermissionProtocol

Protocol defining the contract for permission checking.

This is the primary port for authorization in the hexagonal architecture.

Example usage:
    perm: PermissionProtocol = container.get(PermissionProtocol)

    result = await perm.evaluate(PolicyEvaluateRequest(
        principal="user-001",
        action=PermissionAction.WRITE,
        resource="Invoice",
        resource_id="inv-123",
        principal_attributes={"roles": ["Manager"], "department": "Sales"},
    ))

    if result.authorized:
        # Allow access
        pass

Source: permission.py

Methods

`evaluate`

async def evaluate(self,
    request: PolicyEvaluateRequest,
) -> PolicyEvaluateResult

Evaluate a policy request.

    Args:
        request: Stateless request containing all context

    Returns:
        PolicyEvaluateResult with authorized flag and decision source

`get_permitted_filters`

async def get_permitted_filters(self,
    principal: str,
    principal_attributes: dict[str, Any],
    resource: str,
    tenant_id: str | None = None,
) -> dict[str, Any]

Get filters for Row-Level Security.

    Returns SQL filters to apply to list queries for this principal.
    For ReBAC, may query the graph engine for allowed IDs.

    Args:
        principal: User ID
        principal_attributes: User attributes (roles, groups, etc.)
        resource: DocType name
        tenant_id: Optional tenant context

    Returns:
        Filter dict to apply (e.g., {"owner": principal} or {"id": ["doc1", "doc2"]})

Adapters

RbacPermissionAdapter
OpaPermissionAdapter
SpiceDbPermissionAdapter
ComboPermissionAdapter

Methods​

evaluate​

get_permitted_filters​

Adapters​

Methods

`evaluate`

`get_permitted_filters`

Adapters