greywolve/permissions.clj

## permissions.clj
(require '[clojure.set :as set])
(require '[clojure.string :as string])

(def wildcard :*)

(defn permission-string->permission [perm-str]
  (->> (string/split perm-str #":")
       (mapv (fn [s]
               (->> (string/split s #",")
                    (map keyword)
                    set)))))

;; a user permission implies a resource permission if it is a superset or, or exactly equal to
;; the resource permission. This was ported from Shiro's WildcardPermission
(defn implies [user-perm resource-perm]
  (let [user-perm (if (string? user-perm)
                    (permission-string->permission user-perm)
                      user-perm)
        resource-perm (if (string? resource-perm)
                        (permission-string->permission resource-perm)
                        resource-perm)
        resource-perm-count (count resource-perm)
        user-perm-count     (count user-perm)]
    (loop [i 0]
      (cond
        (> i (dec user-perm-count))     true
        (> i (dec resource-perm-count)) (let [user-parts (nth user-perm i)]
                                          (if (not (contains? user-parts wildcard))
                                            false
                                            (recur (inc i))))
        :else
        (let [resource-parts (nth resource-perm i)
              user-parts     (nth user-perm i)]
          (if (and (not (contains? user-parts wildcard))
                   (not (set/subset? resource-parts user-parts)))
            false
            (recur (inc i))))))))

(comment
  (implies "lead:transition,edit" "lead:edit") ;; true
  (implies "lead:transition,edit" "lead") ;; false, must be a superset
  (implies "lead" "lead:edit") ;; true, any lead action
  (implies "lead:transition:*" "lead:transition:assign-to-sales") ;; true
)
	(require '[clojure.set :as set])
	(require '[clojure.string :as string])

	(def wildcard :*)

	(defn permission-string->permission [perm-str]
	(->> (string/split perm-str #":")
	(mapv (fn [s]
	(->> (string/split s #",")
	(map keyword)
	set)))))

	;; a user permission implies a resource permission if it is a superset or, or exactly equal to
	;; the resource permission. This was ported from Shiro's WildcardPermission
	(defn implies [user-perm resource-perm]
	(let [user-perm (if (string? user-perm)
	(permission-string->permission user-perm)
	user-perm)
	resource-perm (if (string? resource-perm)
	(permission-string->permission resource-perm)
	resource-perm)
	resource-perm-count (count resource-perm)
	user-perm-count (count user-perm)]
	(loop [i 0]
	(cond
	(> i (dec user-perm-count)) true
	(> i (dec resource-perm-count)) (let [user-parts (nth user-perm i)]
	(if (not (contains? user-parts wildcard))
	false
	(recur (inc i))))
	:else
	(let [resource-parts (nth resource-perm i)
	user-parts (nth user-perm i)]
	(if (and (not (contains? user-parts wildcard))
	(not (set/subset? resource-parts user-parts)))
	false
	(recur (inc i))))))))

	(comment
	(implies "lead:transition,edit" "lead:edit") ;; true
	(implies "lead:transition,edit" "lead") ;; false, must be a superset
	(implies "lead" "lead:edit") ;; true, any lead action
	(implies "lead:transition:*" "lead:transition:assign-to-sales") ;; true
	)