Policies — Aquilia Documentation
Comprehensive guide and documentation for Policies in the Aquilia framework. View API reference, examples, and implementation patterns.
Security & Auth / Authorization / Policy DSL Declarative Policy DSL The `aquilia.auth.policy` module provides a declarative, resource-centric policy language. Define complex authorization logic by subclassing Policy and decorating methods with `@rule`. Defining Resource Policies Resource policies group access rules for a specific resource type together. A rule method must be named can_{action} and return a PolicyResult using Allow, Deny, or Abstain: from aquilia.auth.policy import Policy, Allow, Deny, Abstain, rule class PostPolicy(Policy): resource = "post" # Connects this policy to the "post" resource name @rule def can_read(self, identity, resource=None): # Open access to anyone for reading return Allow("Public resource") @rule def can_edit(self, identity, resource): # Allow if the identity is the author of the post if resource and resource.author_id == identity.id: return Allow("Author can edit") # Defer to other rules if the user is an admin if identity.has_role("admin"): return Abstain("Let admin rules decide") return Deny("Must be author or administrator") The Policy Registry Polices are registered with a PolicyRegistry . When evaluating a permission, the registry locates the appropriate policy based on the resource name and evaluates the matching can_{action} method: from aquilia.auth.policy import PolicyRegistry from post_policy import PostPolicy # Initialize registry and register the policy registry = PolicyRegistry() registry.register(PostPolicy()) # Evaluate access dynamically result = registry.evaluate( resource="post", action="edit", identity=current_identity, resource_obj=active_post ) print(result.decision) # Decision.ALLOW or Decision.DENY print(result.reason) # "Author can edit" or "Must be author or administrator" Rule Resolution Flow When `evaluate()` is called, the policy engine follows this order of operations: ` matching the action argument.' }, , , , ].map((item, idx) => ( ))} ABAC Sessions )
Go to Homepage