in packages/better-auth/src/plugins/access/access.ts [8:77]
export function role<TStatements extends Statements>(statements: TStatements) {
return {
authorize<K extends keyof TStatements>(
request: {
[key in K]?:
| TStatements[key]
| {
actions: TStatements[key];
connector: "OR" | "AND";
};
},
connector: "OR" | "AND" = "AND",
): AuthorizeResponse {
let success = false;
for (const [requestedResource, requestedActions] of Object.entries(
request,
)) {
const allowedActions = statements[requestedResource];
if (!allowedActions) {
return {
success: false,
error: `You are not allowed to access resource: ${requestedResource}`,
};
}
if (Array.isArray(requestedActions)) {
success = (requestedActions as string[]).every((requestedAction) =>
allowedActions.includes(requestedAction),
);
} else {
if (typeof requestedActions === "object") {
const actions = requestedActions as {
actions: string[];
connector: "OR" | "AND";
};
if (actions.connector === "OR") {
success = actions.actions.some((requestedAction) =>
allowedActions.includes(requestedAction),
);
} else {
success = actions.actions.every((requestedAction) =>
allowedActions.includes(requestedAction),
);
}
} else {
throw new BetterAuthError("Invalid access control request");
}
}
if (success && connector === "OR") {
return { success };
}
if (!success && connector === "AND") {
return {
success: false,
error: `unauthorized to access resource "${requestedResource}"`,
};
}
}
if (success) {
return {
success,
};
}
return {
success: false,
error: "Not authorized",
};
},
statements,
};
}