{"id":13507464,"url":"https://github.com/MilosMosovsky/terminator","last_synced_at":"2025-03-30T08:30:32.117Z","repository":{"id":50715959,"uuid":"163835811","full_name":"MilosMosovsky/terminator","owner":"MilosMosovsky","description":"🛡 Modern elixir ACL/ABAC library for managing granular user abilities and permissions","archived":false,"fork":false,"pushed_at":"2023-10-26T01:27:09.000Z","size":45,"stargazers_count":62,"open_issues_count":4,"forks_count":12,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-14T14:04:52.493Z","etag":null,"topics":["acl","ecto","elixir","elixir-phoenix"],"latest_commit_sha":null,"homepage":"https://hexdocs.pm/terminator/","language":"Elixir","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/MilosMosovsky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-01-02T12:04:05.000Z","updated_at":"2024-11-18T22:50:37.000Z","dependencies_parsed_at":"2024-05-01T15:27:44.757Z","dependency_job_id":"ee7e3d31-7d91-4fbd-b18d-be3f119ef753","html_url":"https://github.com/MilosMosovsky/terminator","commit_stats":{"total_commits":10,"total_committers":2,"mean_commits":5.0,"dds":0.09999999999999998,"last_synced_commit":"79e7eb840f294d72384beeaafbd3d7a93fb1ae8d"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MilosMosovsky%2Fterminator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MilosMosovsky%2Fterminator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MilosMosovsky%2Fterminator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/MilosMosovsky%2Fterminator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/MilosMosovsky","download_url":"https://codeload.github.com/MilosMosovsky/terminator/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246296362,"owners_count":20754625,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acl","ecto","elixir","elixir-phoenix"],"created_at":"2024-08-01T02:00:34.302Z","updated_at":"2025-03-30T08:30:31.727Z","avatar_url":"https://github.com/MilosMosovsky.png","language":"Elixir","funding_links":[],"categories":["Authorization"],"sub_categories":[],"readme":"# 🛡 Terminator 🛡\n\n[![Coverage Status](https://img.shields.io/coveralls/github/MilosMosovsky/terminator.svg?style=flat-square)](https://coveralls.io/github/MilosMosovsky/terminator)\n[![Build Status](https://img.shields.io/travis/MilosMosovsky/terminator.svg?style=flat-square)](https://travis-ci.org/MilosMosovsky/terminator)\n[![Version](https://img.shields.io/hexpm/v/terminator.svg?style=flat-square)](https://hex.pm/packages/terminator)\n\nTerminator is toolkit for granular ability management for performers. It allows you to define granular abilities such as:\n\n- `Performer -\u003e Ability`\n- `Performer -\u003e [Ability, Ability, ...]`\n- `Role -\u003e [Ability, Ability, ...]`\n- `Performer -\u003e Role -\u003e [Ability, Ability, Ability]`\n- `Performer -\u003e [Role -\u003e [Ability], Role -\u003e [Ability, ...]]`\n- `Performer -\u003e AnyEntity -\u003e [Ability, ...]`\n\nIt tries to mimic [https://en.wikipedia.org/wiki/Attribute-based_access_control](https://en.wikipedia.org/wiki/Attribute-based_access_control) and allow to define any policy which is needed.\n\nHere is a small example:\n\n```elixir\ndefmodule Sample.Post\n use Terminator\n\n def delete_post(id) do\n performer = Sample.Repo.get(Terminator.Performer, 1)\n load_and_authorize_performer(performer)\n post = %Post{id: 1}\n\n permissions do\n has_role(:admin) # or\n has_role(:editor) # or\n has_ability(:delete_posts) # or\n has_ability(:delete, post) # Entity related abilities\n calculated(fn performer -\u003e\n performer.email_confirmed?\n end)\n end\n\n as_authorized do\n Sample.Repo.get(Sample.Post, id) |\u003e Sample.repo.delete()\n end\n\n # Notice that you can use both macros or functions\n\n case is_authorized? do\n :ok -\u003e Sample.Repo.get(Sample.Post, id) |\u003e Sample.repo.delete()\n {:error, message} -\u003e \"Raise error\"\n _ -\u003e \"Raise error\"\n end\n end\n\n```\n\n## Features\n\n- [x] `Performer` -\u003e `[Ability]` permission schema\n- [x] `Role` -\u003e `[Ability]` permission schema\n- [x] `Performer` -\u003e `[Role]` -\u003e `[Ability]` permission schema\n- [x] `Performer` -\u003e `Object` -\u003e `[Ability]` permission schema\n- [x] Computed permission in runtime\n- [x] Easily readable DSL\n- [ ] [ueberauth](https://github.com/ueberauth/ueberauth) integration\n- [ ] [absinthe](https://github.com/absinthe-graphql/absinthe) middleware\n- [ ] Session plug to get current_user\n\n## Installation\n\n```elixir\ndef deps do\n [\n {:terminator, \"~\u003e 0.5.2\"}\n ]\nend\n```\n\n```elixir\n# In your config/config.exs file\nconfig :terminator, Terminator.Repo,\n username: \"postgres\",\n password: \"postgres\",\n database: \"terminator_dev\",\n hostname: \"localhost\"\n```\n\n```elixir\niex\u003e mix terminator.setup\n```\n\n### Usage with ecto\n\nTerminator is originally designed to be used with Ecto. Usually you will want to have your own table for `Accounts`/`Users` living in your application. To do so you can link performer with `belongs_to` association within your schema.\n\n```elixir\n# In your migrations add performer_id field\ndefmodule Sample.Migrations.CreateUsersTable do\n use Ecto.Migration\n\n def change do\n create table(:users) do\n add :username, :string\n add :performer_id, references(Terminator.Performer.table())\n\n timestamps()\n end\n\n create unique_index(:users, [:username])\n end\nend\n\n```\n\nThis will allow you link any internal entity with 1-1 association to performers. Please note that you need to create performer on each user creation (e.g with `Terminator.Performer.changeset/2`) and call `put_assoc` inside your changeset\n\n```elixir\n# In schema defintion\ndefmodule Sample.User do\n use Ecto.Schema\n\n schema \"users\" do\n field :username, :String\n\n belongs_to :performer, Terminator.Performer\n\n timestamps()\n end\nend\n```\n\n```elixir\n# In your model\ndefmodule Sample.Post\n use Terminator\n\n def delete_post(id) do\n user = Sample.Repo.get(Sample.User, 1)\n load_and_authorize_performer(user)\n # Function allows multiple signatues of performer it can\n # be either:\n # * %Terminator.Performer{}\n # * %AnyStruct{performer: %Terminator.Performer{}}\n # * %AnyStruct{performer_id: id} (this will perform database preload)\n\n\n permissions do\n has_role(:admin) # or\n has_role(:editor) # or\n has_ability(:delete_posts) # or\n end\n\n as_authorized do\n Sample.Repo.get(Sample.Post, id) |\u003e Sample.repo.delete()\n end\n\n # Notice that you can use both macros or functions\n\n case is_authorized? do\n :ok -\u003e Sample.Repo.get(Sample.Post, id) |\u003e Sample.repo.delete()\n {:error, message} -\u003e \"Raise error\"\n _ -\u003e \"Raise error\"\n end\n end\n\n```\n\nTerminator tries to infer the performer, so it is easy to pass any struct (could be for example `User` in your application) which has set up `belongs_to` association for performer. If the performer was already preloaded from database Terminator will take it as loaded performer. If you didn't do preload and just loaded `User` -\u003e `Repo.get(User, 1)` Terminator will fetch the performer on each authorization try.\n\n### Calculated permissions\n\nOften you will come to case when `static` permissions are not enough. For example allow only users who confirmed their email address.\n\n```elixir\ndefmodule Sample.Post do\n def create() do\n user = Sample.Repo.get(Sample.User, 1)\n load_and_authorize_performer(user)\n\n permissions do\n calculated(fn performer -\u003e do\n performer.email_confirmed?\n end)\n end\n end\nend\n```\n\nWe can also use DSL form of `calculated` keyword\n\n```elixir\ndefmodule Sample.Post do\n def create() do\n user = Sample.Repo.get(Sample.User, 1)\n load_and_authorize_performer(user)\n\n permissions do\n calculated(:confirmed_email)\n end\n end\n\n def confirmed_email(performer) do\n performer.email_confirmed?\n end\nend\n```\n\n### Composing calculations\n\nWhen we need to performer calculation based on external data we can invoke bindings to `calculated/2`\n\n```elixir\ndefmodule Sample.Post do\n def create() do\n user = Sample.Repo.get(Sample.User, 1)\n post = %Post{owner_id: 1}\n load_and_authorize_performer(user)\n\n permissions do\n calculated(:confirmed_email)\n calculated(:is_owner, [post])\n end\n end\n\n def confirmed_email(performer) do\n performer.email_confirmed?\n end\n\n def is_owner(performer, [post]) do\n performer.id == post.owner_id\n end\nend\n```\n\nTo perform exclusive abilities such as `when User is owner of post AND is in editor role` we can do so as in following example\n\n```elixir\ndefmodule Sample.Post do\n def create() do\n user = Sample.Repo.get(Sample.User, 1)\n post = %Post{owner_id: 1}\n load_and_authorize_performer(user)\n\n permissions do\n has_role(:editor)\n end\n\n as_authorized do\n case is_owner(performer, post) do\n :ok -\u003e ...\n {:error, message} -\u003e ...\n end\n end\n end\n\n def is_owner(performer, post) do\n load_and_authorize_performer(performer)\n\n permissions do\n calculated(fn p, [post] -\u003e\n p.id == post.owner_id\n end)\n end\n\n is_authorized?\n end\nend\n```\n\nWe can simplify example in this case by excluding DSL for permissions\n\n```elixir\ndefmodule Sample.Post do\n def create() do\n user = Sample.Repo.get(Sample.User, 1)\n post = %Post{owner_id: 1}\n\n # We can also use has_ability?/2\n if has_role?(user, :admin) and is_owner(user, post) do\n ...\n end\n end\n\n def is_owner(performer, post) do\n performer.id == post.owner_id\n end\nend\n```\n\n### Entity related abilities\n\nTerminator allows you to grant abilities on any particular struct. Struct needs to have signature of `%{__struct__: entity_name, id: entity_id}` to infer correct relations. Lets assume that we want to grant `:delete` ability on particular `Post` for our performer:\n\n```elixir\niex\u003e {:ok, performer} = %Terminator.Performer{} |\u003e Terminator.Repo.insert()\niex\u003e post = %Post{id: 1}\niex\u003e ability = %Ability{identifier: \"delete\"}\niex\u003e Terminator.Performer.grant(performer, :delete, post)\niex\u003e Terminator.has_ability?(performer, :delete, post)\ntrue\n```\n\n```elixir\ndefmodule Sample.Post do\n def delete() do\n user = Sample.Repo.get(Sample.User, 1)\n post = %Post{id: 1}\n load_and_authorize_performer(user)\n\n permissions do\n has_ability(:delete, post)\n end\n\n as_authorized do\n :ok\n end\n end\nend\n```\n\n### Granting abilities\n\nLet's assume we want to create new `Role` - _admin_ which is able to delete accounts inside our system. We want to have special `Performer` who is given this _role_ but also he is able to have `Ability` for banning users.\n\n1. Create performer\n\n```elixir\niex\u003e {:ok, performer} = %Terminator.Performer{} |\u003e Terminator.Repo.insert()\n```\n\n2. Create some abilities\n\n```elixir\niex\u003e {:ok, ability_delete} = Terminator.Ability.build(\"delete_accounts\", \"Delete accounts of users\") |\u003e Terminator.Repo.insert()\niex\u003e {:ok, ability_ban} = Terminator.Ability.build(\"ban_accounts\", \"Ban users\") |\u003e Terminator.Repo.insert()\n```\n\n3. Create role\n\n```elixir\niex\u003e {:ok, role} = Terminator.Role.build(\"admin\", [], \"Site administrator\") |\u003e Terminator.Repo.insert()\n```\n\n4. Grant abilities to a role\n\n```elixir\niex\u003e Terminator.Role.grant(role, ability_delete)\n```\n\n5. Grant role to a performer\n\n```elixir\niex\u003e Terminator.Performer.grant(performer, role)\n```\n\n6. Grant abilities to a performer\n\n```elixir\niex\u003e Terminator.Performer.grant(performer, ability_ban)\n```\n\n```elixir\niex\u003e performer |\u003e Terminator.Repo.preload([:roles, :abilities])\n%Terminator.Performer{\n abilities: [\n %Terminator.Ability{\n identifier: \"ban_accounts\"\n }\n ]\n roles: [\n %Terminator.Role{\n identifier: \"admin\"\n abilities: [\"delete_accounts\"]\n }\n ]\n}\n```\n\n### Revoking abilities\n\nSame as we can grant any abilities to models we can also revoke them.\n\n```elixir\niex\u003e Terminator.Performer.revoke(performer, role)\niex\u003e performer |\u003e Terminator.Repo.preload([:roles, :abilities])\n%Terminator.Performer{\n abilities: [\n %Terminator.Ability{\n identifier: \"ban_accounts\"\n }\n ]\n roles: []\n}\niex\u003e Terminator.Performer.revoke(performer, ability_ban)\niex\u003e performer |\u003e Terminator.Repo.preload([:roles, :abilities])\n%Terminator.Performer{\n abilities: []\n roles: []\n}\n```\n\n## License\n\n[MIT © Milos Mosovsky](mailto:milos@mosovsky.com)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMilosMosovsky%2Fterminator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMilosMosovsky%2Fterminator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMilosMosovsky%2Fterminator/lists"}