Add an AllRead key

This commit is contained in:
Mubelotix
2025-06-19 11:29:16 +02:00
parent 00eb258a53
commit b421c8e7de
2 changed files with 49 additions and 0 deletions

View File

@@ -89,6 +89,7 @@ impl HeedAuthStore {
for action in &key.actions { for action in &key.actions {
match action { match action {
Action::All => actions.extend(enum_iterator::all::<Action>()), Action::All => actions.extend(enum_iterator::all::<Action>()),
Action::AllRead => actions.extend(enum_iterator::all::<Action>().filter(|a| a.is_read())),
Action::DocumentsAll => { Action::DocumentsAll => {
actions.extend( actions.extend(
[Action::DocumentsGet, Action::DocumentsDelete, Action::DocumentsAdd] [Action::DocumentsGet, Action::DocumentsDelete, Action::DocumentsAdd]

View File

@@ -218,6 +218,9 @@ pub enum Action {
#[serde(rename = "*")] #[serde(rename = "*")]
#[deserr(rename = "*")] #[deserr(rename = "*")]
All = 0, All = 0,
#[serde(rename = "*.read")]
#[deserr(rename = "*.read")]
AllRead,
#[serde(rename = "search")] #[serde(rename = "search")]
#[deserr(rename = "search")] #[deserr(rename = "search")]
Search, Search,
@@ -396,6 +399,51 @@ impl Action {
} }
} }
/// Whether the action should be included in [Action::AllRead].
pub fn is_read(&self) -> bool {
use Action::*;
// It's using an exhaustive match to force the addition of new actions.
match self {
// Any action that expands to others must return false, as it wouldn't be able to expand recursively.
All | AllRead | DocumentsAll | IndexesAll | ChatsAll | TasksAll | SettingsAll
| StatsAll | MetricsAll | DumpsAll | SnapshotsAll | ChatsSettingsAll => false,
Search => true,
DocumentsAdd => false,
DocumentsGet => true,
DocumentsDelete => false,
IndexesAdd => false,
IndexesGet => true,
IndexesUpdate => false,
IndexesDelete => false,
IndexesSwap => false,
TasksCancel => false,
TasksDelete => false,
TasksGet => true,
SettingsGet => true,
SettingsUpdate => false,
StatsGet => true,
MetricsGet => true,
DumpsCreate => false,
SnapshotsCreate => false,
Version => true,
KeysAdd => false,
KeysGet => false, // Prevent privilege escalation by not allowing reading other keys.
KeysUpdate => false,
KeysDelete => false,
ExperimentalFeaturesGet => true,
ExperimentalFeaturesUpdate => false,
NetworkGet => true,
NetworkUpdate => false,
ChatCompletions => false, // Disabled because it might trigger generation of new chats.
ChatsGet => true,
ChatsDelete => false,
ChatsSettingsGet => true,
ChatsSettingsUpdate => false,
}
}
pub const fn repr(&self) -> u8 { pub const fn repr(&self) -> u8 {
*self as u8 *self as u8
} }