You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

245 lines
8.3 KiB

/**
* Copyright (c) 2015-present, Parse, LLC.
* All rights reserved.
*
* This source code is licensed under the BSD-style license found in the
* LICENSE file in the root directory of this source tree. An additional grant
* of patent rights can be found in the PATENTS file in the same directory.
*/
#import <Foundation/Foundation.h>
NS_ASSUME_NONNULL_BEGIN
@class PFRole;
@class PFUser;
/**
The `PFACL` class is used to control which users can access or modify a particular object.
Each `PFObject` can have its own `PFACL`. You can grant read and write permissions separately to specific users,
to groups of users that belong to roles, or you can grant permissions to "the public" so that,
for example, any user could read a particular object but only a particular set of users could write to that object.
*/
@interface PFACL : NSObject <NSCopying, NSCoding>
///--------------------------------------
/// @name Creating an ACL
///--------------------------------------
/**
Creates an ACL with no permissions granted.
@return Returns a new `PFACL`.
*/
+ (instancetype)ACL;
/**
Creates an ACL where only the provided user has access.
@param user The user to assign access.
*/
+ (instancetype)ACLWithUser:(PFUser *)user;
///--------------------------------------
/// @name Controlling Public Access
///--------------------------------------
/**
Controls whether the public is allowed to read this object.
*/
@property (nonatomic, assign, getter=getPublicReadAccess) BOOL publicReadAccess;
/**
Controls whether the public is allowed to write this object.
*/
@property (nonatomic, assign, getter=getPublicWriteAccess) BOOL publicWriteAccess;
///--------------------------------------
/// @name Controlling Access Per-User
///--------------------------------------
/**
Set whether the given user id is allowed to read this object.
@param allowed Whether the given user can write this object.
@param userId The `PFObject.objectId` of the user to assign access.
*/
- (void)setReadAccess:(BOOL)allowed forUserId:(NSString *)userId;
/**
Gets whether the given user id is *explicitly* allowed to read this object.
Even if this returns `NO`, the user may still be able to access it if `publicReadAccess` returns `YES`
or if the user belongs to a role that has access.
@param userId The `PFObject.objectId` of the user for which to retrive access.
@return `YES` if the user with this `objectId` has *explicit* read access, otherwise `NO`.
*/
- (BOOL)getReadAccessForUserId:(NSString *)userId;
/**
Set whether the given user id is allowed to write this object.
@param allowed Whether the given user can read this object.
@param userId The `PFObject.objectId` of the user to assign access.
*/
- (void)setWriteAccess:(BOOL)allowed forUserId:(NSString *)userId;
/**
Gets whether the given user id is *explicitly* allowed to write this object.
Even if this returns NO, the user may still be able to write it if `publicWriteAccess` returns `YES`
or if the user belongs to a role that has access.
@param userId The `PFObject.objectId` of the user for which to retrive access.
@return `YES` if the user with this `PFObject.objectId` has *explicit* write access, otherwise `NO`.
*/
- (BOOL)getWriteAccessForUserId:(NSString *)userId;
/**
Set whether the given user is allowed to read this object.
@param allowed Whether the given user can read this object.
@param user The user to assign access.
*/
- (void)setReadAccess:(BOOL)allowed forUser:(PFUser *)user;
/**
Gets whether the given user is *explicitly* allowed to read this object.
Even if this returns `NO`, the user may still be able to access it if `publicReadAccess` returns `YES`
or if the user belongs to a role that has access.
@param user The user for which to retrive access.
@return `YES` if the user has *explicit* read access, otherwise `NO`.
*/
- (BOOL)getReadAccessForUser:(PFUser *)user;
/**
Set whether the given user is allowed to write this object.
@param allowed Whether the given user can write this object.
@param user The user to assign access.
*/
- (void)setWriteAccess:(BOOL)allowed forUser:(PFUser *)user;
/**
Gets whether the given user is *explicitly* allowed to write this object.
Even if this returns `NO`, the user may still be able to write it if `publicWriteAccess` returns `YES`
or if the user belongs to a role that has access.
@param user The user for which to retrive access.
@return `YES` if the user has *explicit* write access, otherwise `NO`.
*/
- (BOOL)getWriteAccessForUser:(PFUser *)user;
///--------------------------------------
/// @name Controlling Access Per-Role
///--------------------------------------
/**
Get whether users belonging to the role with the given name are allowed to read this object.
Even if this returns `NO`, the role may still be able to read it if a parent role has read access.
@param name The name of the role.
@return `YES` if the role has read access, otherwise `NO`.
*/
- (BOOL)getReadAccessForRoleWithName:(NSString *)name;
/**
Set whether users belonging to the role with the given name are allowed to read this object.
@param allowed Whether the given role can read this object.
@param name The name of the role.
*/
- (void)setReadAccess:(BOOL)allowed forRoleWithName:(NSString *)name;
/**
Get whether users belonging to the role with the given name are allowed to write this object.
Even if this returns `NO`, the role may still be able to write it if a parent role has write access.
@param name The name of the role.
@return `YES` if the role has read access, otherwise `NO`.
*/
- (BOOL)getWriteAccessForRoleWithName:(NSString *)name;
/**
Set whether users belonging to the role with the given name are allowed to write this object.
@param allowed Whether the given role can write this object.
@param name The name of the role.
*/
- (void)setWriteAccess:(BOOL)allowed forRoleWithName:(NSString *)name;
/**
Get whether users belonging to the given role are allowed to read this object.
Even if this returns `NO`, the role may still be able to read it if a parent role has read access.
The role must already be saved on the server and
it's data must have been fetched in order to use this method.
@param role The name of the role.
@return `YES` if the role has read access, otherwise `NO`.
*/
- (BOOL)getReadAccessForRole:(PFRole *)role;
/**
Set whether users belonging to the given role are allowed to read this object.
The role must already be saved on the server and
it's data must have been fetched in order to use this method.
@param allowed Whether the given role can read this object.
@param role The role to assign access.
*/
- (void)setReadAccess:(BOOL)allowed forRole:(PFRole *)role;
/**
Get whether users belonging to the given role are allowed to write this object.
Even if this returns `NO`, the role may still be able to write it if a parent role has write access.
The role must already be saved on the server and
it's data must have been fetched in order to use this method.
@param role The name of the role.
@return `YES` if the role has write access, otherwise `NO`.
*/
- (BOOL)getWriteAccessForRole:(PFRole *)role;
/**
Set whether users belonging to the given role are allowed to write this object.
The role must already be saved on the server and
it's data must have been fetched in order to use this method.
@param allowed Whether the given role can write this object.
@param role The role to assign access.
*/
- (void)setWriteAccess:(BOOL)allowed forRole:(PFRole *)role;
///--------------------------------------
/// @name Setting Access Defaults
///--------------------------------------
/**
Sets a default ACL that will be applied to all instances of `PFObject` when they are created.
@param acl The ACL to use as a template for all instance of `PFObject` created after this method has been called.
This value will be copied and used as a template for the creation of new ACLs, so changes to the
instance after this method has been called will not be reflected in new instance of `PFObject`.
@param currentUserAccess - If `YES`, the `PFACL` that is applied to newly-created instance of `PFObject` will
provide read and write access to the `PFUser.+currentUser` at the time of creation.
- If `NO`, the provided `acl` will be used without modification.
- If `acl` is `nil`, this value is ignored.
*/
+ (void)setDefaultACL:(nullable PFACL *)acl withAccessForCurrentUser:(BOOL)currentUserAccess;
@end
NS_ASSUME_NONNULL_END