Concepts Permission Engine - osama1998H/Moca GitHub Wiki
Permission Engine
RBAC, field-level security, row-level security, and custom permission rules.
Moca implements a three-layer permission model that controls access from coarse-grained role checks down to individual field visibility.
Three Layers
1. Role-Based Access Control (RBAC)
Each Role defines permissions per DocType:
| Permission | Meaning |
|---|---|
| Create | Can create new documents |
| Read | Can view documents |
| Write | Can modify documents |
| Delete | Can delete documents |
| Submit | Can submit documents (workflow) |
| Amend | Can amend submitted documents |
| Cancel | Can cancel submitted documents |
Users inherit permissions from all their assigned roles (union).
2. Field-Level Security (FLS)
Per-field read/write permissions based on role:
- A role may have Read access to a DocType but be restricted from seeing certain fields (e.g., salary fields)
- Write restrictions prevent modifying specific fields even when the user can edit the document
3. Row-Level Security (RLS)
Fine-grained document-level access:
- PostgreSQL RLS policies enforced at the database level
- QueryBuilder automatically adds filters based on user permissions
- Example: "Sales Manager can only see their own region's orders"
Custom Permission Rules
Apps can register custom permission functions for complex business logic:
// Only allow editing if document is not locked
hooks.RegisterPermission("Sales Order", func(doc Document, user User, perm string) bool {
return !doc.Get("is_locked").(bool)
})
Permission Caching
Resolved permissions are cached per user session to avoid repeated computation.