Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2.1 KiB
title |
---|
Expression Policies |
:::note These variables are available in addition to the common variables/functions defined in Expressions :::
The passing of the policy is determined by the return value of the code. Use return True
to pass a policy and return False
to fail it.
Available Functions
ak_message(message: str)
Add a message, visible by the end user. This can be used to show the reason why they were denied.
Example:
ak_message("Access denied")
return False
Context variables
-
request
: A PolicyRequest object, which has the following properties:request.user
: (ref) The current user, against which the policy is applied.request.http_request
: (ref) The Django HTTP Request.request.obj
: A Django Model instance. This is only set if the policy is ran against an object.request.context
: A dictionary with dynamic data. This depends on the origin of the execution.
-
geoip
: (ref) GeoIP object, which is added when GeoIP is enabled. -
ak_is_sso_flow
: Boolean which is true if request was initiated by authenticating through an external provider. -
ak_client_ip
: (ref) Client's IP Address or 255.255.255.255 if no IP Address could be extracted. Can be compared, for examplereturn ak_client_ip in ip_network('10.0.0.0/24') # or return ak_client_ip.is_private
Additionally, when the policy is executed from a flow, every variable from the flow's current context is accessible under the context
object.
This includes the following:
prompt_data
: Data which has been saved from a prompt stage or an external source.application
: The application the user is in the process of authorizing.pending_user
: The currently pending user