Skip to content

angee.graphql.access

REBAC read gating for GraphQL schema surfaces and change payloads.

actor_can_read

python
def actor_can_read(resource: ObjectRef) -> bool

Return whether the current actor holds read on resource.

The GraphQL-layer read gate for surfaces that anchor visibility on a single REBAC object rather than a per-model resource (e.g. the platform console's platform/explorer anchor, the operator daemon's operator/connection anchor). Callers pass their own anchor as resource so each surface keeps its anchor explicit; an actorless request (no authenticated subject) reads as not allowed.

ChangeReadGate

python
class ChangeReadGate()

Filter and redact change payloads for one model and actor.

__init__

python
def __init__(model: type[models.Model], actor: SubjectRef) -> None

Resolve model authorization facts for actor once.

filter

python
def filter(payload: Mapping[str, Any] | ChangePayload) -> ChangeEvent | None

Return a readable change event, or None when hidden.

Released under the AGPL-3.0 License.