* 用户角色:用户拥有的角色,在钩子中为用户设置的角色
* API角色:OPERATION上 `@RBAC`指令声明的角色
角色列表为全集,用户拥有的角色为其子集,API拥有的角色也是子集。
* requireMatchAll:全部匹配,用户角色包含API角色时,可访问
* requireMatchAny:任意匹配,用户角色与API角色有交集时,可访问
* denyMatchAny:互斥匹配,用户角色与API角色互斥时,可访问
* denyMatchAll:非全部匹配,当任意匹配或互斥匹配时,可访问
最后,以全部角色作为全集,结合四种关系,看用户角色和API角色的交并补情况,确定当前用户是否能访问当前API。
实际情况下,我们一般使用`requireMatchAny`匹配规则。
它表示角色拥有某些接口,当用户拥有该角色时,就能访问该接口,也即:用户通过角色拥有该角色的所有接口权限!和RBAC0规范一致!
一方面,一个角色会有多个接口。对应着就是,多个OPERTION使用`requireMatchAny`绑定同一个角色。
例如:A、B OPERATION都绑定了admin角色。
{% code title="A.graphql" %}
```graphql
query A($id: Int = 1) @rbac(requireMatchAny: [admin]) {
todo_findUniqueTodo(where: {id: $id}) {
completed
createdAt
id
title
}
}
```
{% endcode %}
{% code title="B.graphql" %}
```graphql
query B($id: Int = 2) @rbac(requireMatchAny: [admin]) {
todo_findUniqueTodo(where: {id: $id}) {
completed
createdAt
id
title
}
}
```
{% endcode %}
反过来,一个接口也会属于多个角色。对应就是,一个OPERTION使用`requireMatchAny`绑定了多个角色。
例如:C OPEARTION绑定了admin和user角色。
{% code title="C.graphql" %}
```graphql
query C($id: Int = 3) @rbac(requireMatchAny: [admin, user]) {
todo_findUniqueTodo(where: {id: $id}) {
completed
createdAt
id
title
}
}
```
{% endcode %}
* 如果,用户只拥有admin角色,它就能访问A、B、C三个接口
* 如果,用户只拥有user角色,就只能访问C接口。
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.fireboom.io/v1.0/ji-chu-ke-shi-hua-kai-fa/yan-zheng-he-shou-quan/jie-kou-quan-xian-kong-zhi.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.