angee.graphql.access
REBAC read gating for GraphQL schema surfaces and change payloads.
actor_can_read
python
def actor_can_read(resource: ObjectRef) -> boolReturn whether the current actor holds read on resource.
The GraphQL-layer read gate for surfaces that anchor visibility on a single REBAC object rather than a per-model resource (e.g. the platform console's platform/explorer anchor, the operator daemon's operator/connection anchor). Callers pass their own anchor as resource so each surface keeps its anchor explicit; an actorless request (no authenticated subject) reads as not allowed.
ChangeReadGate
python
class ChangeReadGate()Filter and redact change payloads for one model and actor.
__init__
python
def __init__(model: type[models.Model], actor: SubjectRef) -> NoneResolve model authorization facts for actor once.
filter
python
def filter(payload: Mapping[str, Any] | ChangePayload) -> ChangeEvent | NoneReturn a readable change event, or None when hidden.