Marketplace
<div align="center"> <h3>Premium sponsors</h3> <p> <a href="https://id8media.com"><strong>ID8 Media</strong></a> · <a href="https://one-studio.co"><strong>One Studio</strong></a> </p> <p><sub>Support togo — <a href="https://github.com/sponsors/fadymondy">become a sponsor</a>.</sub></p> </div>
authz
Othertogo authorization — policies, gates & abilities beyond RBAC
togo-framework
bash
togo install togo-framework/authzInstall
bash
togo install togo-framework/authzauthz is the togo answer to Laravel Policies / Pundit / django-guardian. RBAC tells you a user's roles; authz decides the specific question "may this subject perform this action on this resource?" — ownership, tenancy, state, and any custom rule.
- Policies — per-resource-type, per-action rules (
updateaPostonly if you authored it). - Gates — standalone abilities with no specific resource (
access-admin). - Before hooks — short-circuit every check (super-admin bypass, maintenance lock).
- Default deny — unknown action/resource is denied; nothing is allowed by omission.
Usage
go
// Policies — keyed by authz.TypeName(resource), e.g. "*models.Post".
authz.Policy("*models.Post", map[string]authz.PolicyFunc{
"update": func(ctx context.Context, subject, resource any) (bool, error) {
return resource.(*models.Post).AuthorID == subject.(*models.User).ID, nil
},
"delete": func(ctx context.Context, subject, resource any) (bool, error) {
return subject.(*models.User).Admin, nil
},
})
// Gates — standalone abilities.
authz.RegisterGate("access-admin", func(ctx context.Context, s any) (bool, error) {
return s.(*models.User).Admin, nil
})
// Before — super-admin bypass.
authz.Before(func(ctx context.Context, s any, action string) (decided, allow bool) {
if u, ok := s.(*models.User); ok && u.SuperAdmin {
return true, true
}
return false, false
})
Checking access
go
ok, err := authz.Can(ctx, user, "update", post) // policy (resource non-nil)
ok2 := authz.Allows(ctx, user, "access-admin", nil) // gate (resource nil); error → deny
if err := authz.Authorize(ctx, user, "update", post); err != nil {
return err // authz.ErrForbidden when denied
}
Guarding routes
go
ctx := authz.WithSubject(r.Context(), currentUser) // usually set by your auth middleware
r.With(authz.Require("access-admin")).Get("/admin", adminHandler) // 403 if denied
REST + kernel
Endpoint | |
|---|---|
| GET /api/authz/can?action=<gate> | gate check for the context subject |
| GET /api/authz/abilities | registered gates + policy types/actions |
Rows per page
1–2 of 2Page 1 of 1
s, _ := authz.FromKernel(k) returns the service (Can / Allows / Authorize).
Configuration
No env required. Composes with togo install togo-framework/auth (read roles off the subject in your policies) but works standalone with any subject type.
<div align="center"> <h3>Premium sponsors</h3> <p> <a href="https://id8media.com"><strong>ID8 Media</strong></a> · <a href="https://one-studio.co"><strong>One Studio</strong></a> </p> <p><sub>Support togo — <a href="https://github.com/sponsors/fadymondy">become a sponsor</a>.</sub></p> </div>