expandLowLevel constructs a site-only Scope with a single permission for the given resource and action. This mirrors how builtin scopes are represented but is restricted to site-level only.
(resource string, action policy.Action)
| 301 | // given resource and action. This mirrors how builtin scopes are represented |
| 302 | // but is restricted to site-level only. |
| 303 | func expandLowLevel(resource string, action policy.Action) Scope { |
| 304 | return Scope{ |
| 305 | Role: Role{ |
| 306 | Identifier: RoleIdentifier{Name: fmt.Sprintf("Scope_%s:%s", resource, action)}, |
| 307 | DisplayName: fmt.Sprintf("%s:%s", resource, action), |
| 308 | Site: []Permission{{ResourceType: resource, Action: action}}, |
| 309 | User: []Permission{}, |
| 310 | ByOrgID: map[string]OrgPermissions{}, |
| 311 | }, |
| 312 | // Low-level scopes intentionally return a wildcard allow list. |
| 313 | AllowIDList: []AllowListElement{{Type: policy.WildcardSymbol, ID: policy.WildcardSymbol}}, |
| 314 | } |
| 315 | } |