mirror of https://github.com/usememos/memos.git
57 lines
2.3 KiB
Go
57 lines
2.3 KiB
Go
package v1
|
|
|
|
// Access Control List (ACL) Configuration
|
|
//
|
|
// This file defines which API methods require authentication and which require admin privileges.
|
|
// Used by both gRPC and Connect interceptors to enforce access control.
|
|
//
|
|
// Method names follow the gRPC full method format: "/{package}.{service}/{method}"
|
|
// Example: "/memos.api.v1.MemoService/CreateMemo"
|
|
|
|
// publicMethods lists methods that can be called without authentication.
|
|
// These are typically read-only endpoints for public content or login-related endpoints.
|
|
var publicMethods = map[string]bool{
|
|
// Instance info - needed before login
|
|
"/memos.api.v1.InstanceService/GetInstanceProfile": true,
|
|
"/memos.api.v1.InstanceService/GetInstanceSetting": true,
|
|
|
|
// Auth - login/session endpoints
|
|
"/memos.api.v1.AuthService/CreateSession": true,
|
|
"/memos.api.v1.AuthService/GetCurrentSession": true,
|
|
|
|
// User - public user info and registration
|
|
"/memos.api.v1.UserService/CreateUser": true, // Registration (also admin-only when not first user)
|
|
"/memos.api.v1.UserService/GetUser": true,
|
|
"/memos.api.v1.UserService/GetUserAvatar": true,
|
|
"/memos.api.v1.UserService/GetUserStats": true,
|
|
"/memos.api.v1.UserService/ListAllUserStats": true,
|
|
"/memos.api.v1.UserService/SearchUsers": true,
|
|
|
|
// Identity providers - needed for SSO login
|
|
"/memos.api.v1.IdentityProviderService/ListIdentityProviders": true,
|
|
|
|
// Memo - public memo access
|
|
"/memos.api.v1.MemoService/GetMemo": true,
|
|
"/memos.api.v1.MemoService/ListMemos": true,
|
|
|
|
// Attachment - public attachment access
|
|
"/memos.api.v1.AttachmentService/GetAttachmentBinary": true,
|
|
}
|
|
|
|
// adminOnlyMethods lists methods that require admin (Host or Admin role) privileges.
|
|
// Regular users cannot call these methods even if authenticated.
|
|
var adminOnlyMethods = map[string]bool{
|
|
"/memos.api.v1.UserService/CreateUser": true, // Admin creates users (except first user registration)
|
|
"/memos.api.v1.InstanceService/UpdateInstanceSetting": true,
|
|
}
|
|
|
|
// IsPublicMethod returns true if the method can be called without authentication.
|
|
func IsPublicMethod(fullMethodName string) bool {
|
|
return publicMethods[fullMethodName]
|
|
}
|
|
|
|
// IsAdminOnlyMethod returns true if the method requires admin privileges.
|
|
func IsAdminOnlyMethod(fullMethodName string) bool {
|
|
return adminOnlyMethods[fullMethodName]
|
|
}
|