group access management (#412)

fjogeleit · web-flow · commit 44b32e011736 · 2024-10-14T13:08:07.000+02:00
Signed-off-by: Frank Jogeleit &lt;frank.jogeleit@web.de&gt;
diff --git a/backend/pkg/auth/handler.go b/backend/pkg/auth/handler.go
@@ -10,11 +10,12 @@ import (
 )
 
 type Handler struct {
-	basePath string
+	basePath   string
+	groupClaim string
 }
 
-func NewHandler(basePath string) *Handler {
-	return &Handler{basePath: basePath}
+func NewHandler(basePath, groupClaim string) *Handler {
+	return &Handler{basePath: basePath, groupClaim: groupClaim}
 }
 
 func (h *Handler) Callback(ctx *gin.Context) {
@@ -25,8 +26,11 @@ func (h *Handler) Callback(ctx *gin.Context) {
 		return
 	}
 
+	profile := NewProfile(user)
+	profile.AssignGroups(mapGroups(user, h.groupClaim))
+
 	session := sessions.Default(ctx)
-	session.Set("profile", NewProfile(user))
+	session.Set("profile", profile)
 
 	if err := session.Save(); err != nil {
 		zap.L().Error("failed to save session", zap.Error(err))
@@ -44,8 +48,11 @@ func (h *Handler) Login(ctx *gin.Context) {
 		return
 	}
 
+	profile := NewProfile(user)
+	profile.AssignGroups(mapGroups(user, h.groupClaim))
+
 	session := sessions.Default(ctx)
-	session.Set("profile", NewProfile(user))
+	session.Set("profile", profile)
 
 	ctx.Redirect(http.StatusTemporaryRedirect, h.basePath)
 }
diff --git a/backend/pkg/auth/helper.go b/backend/pkg/auth/helper.go
@@ -0,0 +1,31 @@
+package auth
+
+import (
+	"github.com/markbates/goth"
+)
+
+func mapGroups(user goth.User, claim string) []string {
+	groups := make([]string, 0)
+
+	if claim == "" {
+		return groups
+	}
+
+	rawGroups, ok := user.RawData[claim]
+	if !ok {
+		return groups
+	}
+
+	mapped, ok := rawGroups.([]any)
+	if !ok {
+		return groups
+	}
+
+	for _, group := range mapped {
+		if g, ok := group.(string); ok {
+			groups = append(groups, g)
+		}
+	}
+
+	return groups
+}
diff --git a/backend/pkg/auth/middleware.go b/backend/pkg/auth/middleware.go
@@ -26,7 +26,7 @@ func Provider(provider string) gin.HandlerFunc {
 	}
 }
 
-func Valid(basePath string) gin.HandlerFunc {
+func Valid(basePath, groupClaim string) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
 		providerName, err := gothic.GetProviderName(ctx.Request)
 		if err != nil {
@@ -71,7 +71,10 @@ func Valid(basePath string) gin.HandlerFunc {
 			return
 		}
 
-		session.Set("profile", NewProfile(user))
+		newProfile := NewProfile(user)
+		newProfile.AssignGroups(mapGroups(user, groupClaim))
+
+		session.Set("profile", newProfile)
 		if err := session.Save(); err != nil {
 			zap.L().Error("failed to save profile session", zap.Error(err))
 		}
diff --git a/backend/pkg/auth/model.go b/backend/pkg/auth/model.go
@@ -16,6 +16,7 @@ type Profile struct {
 	Firstname    string    `json:"firstname"`
 	Name         string    `json:"name"`
 	Email        string    `json:"email"`
+	Groups       []string  `json:"groups"`
 	RefreshToken string    `json:"-"`
 	AccessToken  string    `json:"-"`
 	IDToken      string    `json:"-"`
@@ -34,6 +35,10 @@ func (p *Profile) GetName() string {
 	return p.Email
 }
 
+func (p *Profile) AssignGroups(groups []string) {
+	p.Groups = groups
+}
+
 func NewProfile(user goth.User) Profile {
 	return Profile{
 		ID:           user.UserID,
diff --git a/backend/pkg/auth/permissions.go b/backend/pkg/auth/permissions.go
@@ -6,22 +6,33 @@ import (
 	"strings"
 
 	"github.com/gin-gonic/gin"
+
+	"github.com/kyverno/policy-reporter-ui/pkg/utils"
 )
 
 type AccessControl struct {
 	Emails []string
+	Groups []string
 }
 
 type Permissions struct {
 	AccessControl AccessControl `json:"-"`
 }
 
-func (p Permissions) AllowedEmail(email string) bool {
-	if len(p.AccessControl.Emails) == 0 {
+func (p Permissions) Allowed(profile *Profile) bool {
+	if len(p.AccessControl.Emails) == 0 && len(p.AccessControl.Groups) == 0 {
+		return true
+	}
+
+	if len(p.AccessControl.Emails) > 0 && slices.Contains(p.AccessControl.Emails, profile.Email) {
+		return true
+	}
+
+	if len(p.AccessControl.Groups) > 0 && utils.Some(p.AccessControl.Groups, profile.Groups) {
 		return true
 	}
 
-	return slices.Contains(p.AccessControl.Emails, email)
+	return false
 }
 
 func ClusterPermissions(permissions map[string]Permissions) gin.HandlerFunc {
@@ -38,7 +49,7 @@ func ClusterPermissions(permissions map[string]Permissions) gin.HandlerFunc {
 		}
 
 		if profile := ProfileFrom(ctx); profile != nil {
-			if !permissions[cluster].AllowedEmail(profile.Email) {
+			if !permissions[cluster].Allowed(profile) {
 				ctx.AbortWithStatus(http.StatusUnauthorized)
 				return
 			}
diff --git a/backend/pkg/auth/router.go b/backend/pkg/auth/router.go
@@ -12,7 +12,7 @@ import (
 
 const SessionKey = "auth-session"
 
-func Setup(engine *gin.Engine, basePath, provider, tempDir string) {
+func Setup(engine *gin.Engine, basePath, groupKey, provider, tempDir string) {
 	gob.Register(Profile{})
 	gob.Register(map[string]any{})
 
@@ -28,7 +28,7 @@ func Setup(engine *gin.Engine, basePath, provider, tempDir string) {
 
 	engine.Use(sessions.Sessions(SessionKey, NewStore(authStore)))
 
-	handler := NewHandler(basePath)
+	handler := NewHandler(basePath, groupKey)
 
 	engine.GET("/login", Provider(provider), handler.Login)
 	engine.GET("/logout", Provider(provider), handler.Logout)
diff --git a/backend/pkg/config/config.go b/backend/pkg/config/config.go
@@ -24,6 +24,7 @@ type OpenIDConnect struct {
 	CallbackURL  string   `mapstructure:"callbackUrl"`
 	ClientID     string   `mapstructure:"clientId"`
 	ClientSecret string   `mapstructure:"clientSecret"`
+	GroupClaim   string   `mapstructure:"groupClaim"`
 	Scopes       []string `mapstructure:"scopes"`
 }
 
@@ -191,6 +192,7 @@ type Source struct {
 
 type AccessControl struct {
 	Emails []string `mapstructure:"emails"`
+	Groups []string `mapstructure:"groups"`
 }
 
 type Boards struct {
@@ -243,3 +245,11 @@ func (c *Config) AuthBasePath() string {
 
 	return c.OpenIDConnect.BasePath()
 }
+
+func (c *Config) AuthGroupClaim() string {
+	if c.OAuth.Enabled {
+		return ""
+	}
+
+	return c.OpenIDConnect.GroupClaim
+}
diff --git a/backend/pkg/config/mapper.go b/backend/pkg/config/mapper.go
@@ -43,9 +43,7 @@ func MapConfig(c *Config) *api.Config {
 		Banner:   c.UI.Banner,
 		Boards: api.Boards{
 			Permissions: auth.Permissions{
-				AccessControl: auth.AccessControl{
-					Emails: c.Boards.AccessControl.Emails,
-				},
+				AccessControl: auth.AccessControl(c.Boards.AccessControl),
 			},
 		},
 		Sources: utils.Map(c.Sources, func(s Source) api.Source {
@@ -81,9 +79,7 @@ func MapCustomBoards(customBoards []CustomBoard) map[string]api.CustomBoard {
 				List: c.Sources.List,
 			},
 			Permissions: auth.Permissions{
-				AccessControl: auth.AccessControl{
-					Emails: c.AccessControl.Emails,
-				},
+				AccessControl: auth.AccessControl(c.AccessControl),
 			},
 			PolicyReports: api.PolicyReports{
 				Selector: c.PolicyReports.Selector,
diff --git a/backend/pkg/config/resolver.go b/backend/pkg/config/resolver.go
@@ -248,7 +248,7 @@ func (r *Resolver) SetupOAuth(ctx context.Context, engine *gin.Engine) ([]gin.Ha
 	}
 
 	goth.UseProviders(provider)
-	auth.Setup(engine, r.config.OAuth.BasePath(), config.Provider, r.config.TempDir)
+	auth.Setup(engine, r.config.OAuth.BasePath(), r.config.AuthGroupClaim(), config.Provider, r.config.TempDir)
 
 	return []gin.HandlerFunc{auth.Provider(r.config.OAuth.Provider), auth.Auth(r.config.OAuth.BasePath())}, nil
 }
@@ -272,7 +272,7 @@ func (r *Resolver) SetupOIDC(ctx context.Context, engine *gin.Engine) ([]gin.Han
 
 	goth.UseProviders(provider)
 
-	auth.Setup(engine, r.config.OpenIDConnect.BasePath(), "openid-connect", r.config.TempDir)
+	auth.Setup(engine, r.config.OpenIDConnect.BasePath(), r.config.AuthGroupClaim(), "openid-connect", r.config.TempDir)
 
 	return []gin.HandlerFunc{auth.Provider("openid-connect"), auth.Auth(r.config.OpenIDConnect.BasePath())}, nil
 }
@@ -369,7 +369,7 @@ func (r *Resolver) Server(ctx context.Context) (*server.Server, error) {
 	if !r.config.UI.Disabled {
 		var uiMiddleware []gin.HandlerFunc
 		if r.config.AuthEnabled() {
-			uiMiddleware = append(uiMiddleware, auth.Valid(r.config.AuthBasePath()))
+			uiMiddleware = append(uiMiddleware, auth.Valid(r.config.AuthBasePath(), r.config.AuthGroupClaim()))
 		}
 
 		zap.L().Info("register UI", zap.String("path", r.config.UI.Path))
diff --git a/backend/pkg/server/api/handler.go b/backend/pkg/server/api/handler.go
@@ -36,7 +36,7 @@ func (h *Handler) Config(ctx *gin.Context) {
 
 		clusters := make([]Cluster, 0, len(h.config.Clusters))
 		for _, cl := range h.config.Clusters {
-			access := cl.AllowedEmail(profile.Email)
+			access := cl.Allowed(profile)
 			if access {
 				clusters = append(clusters, cl)
 			}
@@ -69,7 +69,7 @@ func (h *Handler) ListCustomBoards(ctx *gin.Context) {
 
 func (h *Handler) ListPolicySources(ctx *gin.Context) {
 	if profile := auth.ProfileFrom(ctx); profile != nil {
-		if !h.config.Boards.AllowedEmail(profile.Email) {
+		if !h.config.Boards.Allowed(profile) {
 			ctx.AbortWithStatus(http.StatusUnauthorized)
 			return
 		}
@@ -153,7 +153,7 @@ func (h *Handler) GetCustomBoard(ctx *gin.Context) {
 	}
 
 	if profile := auth.ProfileFrom(ctx); profile != nil {
-		if !config.AllowedEmail(profile.Email) {
+		if !config.Allowed(profile) {
 			ctx.AbortWithStatus(http.StatusUnauthorized)
 			return
 		}
@@ -252,14 +252,14 @@ func (h *Handler) Layout(ctx *gin.Context) {
 		boards = make(map[string]CustomBoard, len(h.customBoards))
 
 		for key, board := range h.customBoards {
-			if !board.AllowedEmail(profile.Email) {
+			if !board.Allowed(profile) {
 				continue
 			}
 
 			boards[key] = board
 		}
 
-		if !h.config.Boards.AllowedEmail(profile.Email) {
+		if !h.config.Boards.Allowed(profile) {
 			sources = nil
 		}
 	} else {
@@ -277,7 +277,7 @@ func (h *Handler) Layout(ctx *gin.Context) {
 
 func (h *Handler) Dashboard(ctx *gin.Context) {
 	if profile := auth.ProfileFrom(ctx); profile != nil {
-		if !h.config.Boards.AllowedEmail(profile.Email) {
+		if !h.config.Boards.Allowed(profile) {
 			ctx.AbortWithStatus(http.StatusUnauthorized)
 			return
 		}
@@ -334,7 +334,7 @@ func (h *Handler) Dashboard(ctx *gin.Context) {
 
 func (h *Handler) Policies(ctx *gin.Context) {
 	if profile := auth.ProfileFrom(ctx); profile != nil {
-		if !h.config.Boards.AllowedEmail(profile.Email) {
+		if !h.config.Boards.Allowed(profile) {
 			ctx.AbortWithStatus(http.StatusUnauthorized)
 			return
 		}
diff --git a/backend/pkg/server/api/model.go b/backend/pkg/server/api/model.go
@@ -1,6 +1,8 @@
 package api
 
-import "github.com/kyverno/policy-reporter-ui/pkg/auth"
+import (
+	"github.com/kyverno/policy-reporter-ui/pkg/auth"
+)
 
 type Policy struct {
 	Source      string         `json:"source,omitempty"`
diff --git a/backend/pkg/utils/contains.go b/backend/pkg/utils/contains.go
@@ -9,3 +9,15 @@ func Contains[T comparable](list []T, item T) bool {
 
 	return false
 }
+
+func Some[T comparable](list []T, items []T) bool {
+	for _, i := range list {
+		for _, j := range items {
+			if i == j {
+				return true
+			}
+		}
+	}
+
+	return false
+}

Original file line number	Diff line number	Diff line change
`@@ -10,11 +10,12 @@ import (`
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`type Handler struct {`
`13`		`- basePath string`
	`13`	`+ basePath string`
	`14`	`+ groupClaim string`
`14`	`15`	`}`
`15`	`16`
`16`		`-func NewHandler(basePath string) *Handler {`
`17`		`- return &Handler{basePath: basePath}`
	`17`	`+func NewHandler(basePath, groupClaim string) *Handler {`
	`18`	`+ return &Handler{basePath: basePath, groupClaim: groupClaim}`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`func (h Handler) Callback(ctx gin.Context) {`
`@@ -25,8 +26,11 @@ func (h Handler) Callback(ctx gin.Context) {`
`25`	`26`	`return`
`26`	`27`	`}`
`27`	`28`
	`29`	`+ profile := NewProfile(user)`
	`30`	`+ profile.AssignGroups(mapGroups(user, h.groupClaim))`
	`31`	`+`
`28`	`32`	`session := sessions.Default(ctx)`
`29`		`- session.Set("profile", NewProfile(user))`
	`33`	`+ session.Set("profile", profile)`
`30`	`34`
`31`	`35`	`if err := session.Save(); err != nil {`
`32`	`36`	`zap.L().Error("failed to save session", zap.Error(err))`
`@@ -44,8 +48,11 @@ func (h Handler) Login(ctx gin.Context) {`
`44`	`48`	`return`
`45`	`49`	`}`
`46`	`50`
	`51`	`+ profile := NewProfile(user)`
	`52`	`+ profile.AssignGroups(mapGroups(user, h.groupClaim))`
	`53`	`+`
`47`	`54`	`session := sessions.Default(ctx)`
`48`		`- session.Set("profile", NewProfile(user))`
	`55`	`+ session.Set("profile", profile)`
`49`	`56`
`50`	`57`	`ctx.Redirect(http.StatusTemporaryRedirect, h.basePath)`
`51`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func Provider(provider string) gin.HandlerFunc {`
`26`	`26`	`}`
`27`	`27`	`}`
`28`	`28`
`29`		`-func Valid(basePath string) gin.HandlerFunc {`
	`29`	`+func Valid(basePath, groupClaim string) gin.HandlerFunc {`
`30`	`30`	`return func(ctx *gin.Context) {`
`31`	`31`	`providerName, err := gothic.GetProviderName(ctx.Request)`
`32`	`32`	`if err != nil {`
`@@ -71,7 +71,10 @@ func Valid(basePath string) gin.HandlerFunc {`
`71`	`71`	`return`
`72`	`72`	`}`
`73`	`73`
`74`		`- session.Set("profile", NewProfile(user))`
	`74`	`+ newProfile := NewProfile(user)`
	`75`	`+ newProfile.AssignGroups(mapGroups(user, groupClaim))`
	`76`	`+`
	`77`	`+ session.Set("profile", newProfile)`
`75`	`78`	`if err := session.Save(); err != nil {`
`76`	`79`	`zap.L().Error("failed to save profile session", zap.Error(err))`
`77`	`80`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,22 +6,33 @@ import (`
`6`	`6`	`"strings"`
`7`	`7`
`8`	`8`	`"github.com/gin-gonic/gin"`
	`9`	`+`
	`10`	`+ "github.com/kyverno/policy-reporter-ui/pkg/utils"`
`9`	`11`	`)`
`10`	`12`
`11`	`13`	`type AccessControl struct {`
`12`	`14`	`Emails []string`
	`15`	`+ Groups []string`
`13`	`16`	`}`
`14`	`17`
`15`	`18`	`type Permissions struct {`
`16`	`19`	AccessControl AccessControl `json:"-"`
`17`	`20`	`}`
`18`	`21`
`19`		`-func (p Permissions) AllowedEmail(email string) bool {`
`20`		`- if len(p.AccessControl.Emails) == 0 {`
	`22`	`+func (p Permissions) Allowed(profile *Profile) bool {`
	`23`	`+ if len(p.AccessControl.Emails) == 0 && len(p.AccessControl.Groups) == 0 {`
	`24`	`+ return true`
	`25`	`+ }`
	`26`	`+`
	`27`	`+ if len(p.AccessControl.Emails) > 0 && slices.Contains(p.AccessControl.Emails, profile.Email) {`
	`28`	`+ return true`
	`29`	`+ }`
	`30`	`+`
	`31`	`+ if len(p.AccessControl.Groups) > 0 && utils.Some(p.AccessControl.Groups, profile.Groups) {`
`21`	`32`	`return true`
`22`	`33`	`}`
`23`	`34`
`24`		`- return slices.Contains(p.AccessControl.Emails, email)`
	`35`	`+ return false`
`25`	`36`	`}`
`26`	`37`
`27`	`38`	`func ClusterPermissions(permissions map[string]Permissions) gin.HandlerFunc {`
`@@ -38,7 +49,7 @@ func ClusterPermissions(permissions map[string]Permissions) gin.HandlerFunc {`
`38`	`49`	`}`
`39`	`50`
`40`	`51`	`if profile := ProfileFrom(ctx); profile != nil {`
`41`		`- if !permissions[cluster].AllowedEmail(profile.Email) {`
	`52`	`+ if !permissions[cluster].Allowed(profile) {`
`42`	`53`	`ctx.AbortWithStatus(http.StatusUnauthorized)`
`43`	`54`	`return`
`44`	`55`	`}`
Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,7 @@ func (r Resolver) SetupOAuth(ctx context.Context, engine gin.Engine) ([]gin.Ha`
`248`	`248`	`}`
`249`	`249`
`250`	`250`	`goth.UseProviders(provider)`
`251`		`- auth.Setup(engine, r.config.OAuth.BasePath(), config.Provider, r.config.TempDir)`
	`251`	`+ auth.Setup(engine, r.config.OAuth.BasePath(), r.config.AuthGroupClaim(), config.Provider, r.config.TempDir)`
`252`	`252`
`253`	`253`	`return []gin.HandlerFunc{auth.Provider(r.config.OAuth.Provider), auth.Auth(r.config.OAuth.BasePath())}, nil`
`254`	`254`	`}`
`@@ -272,7 +272,7 @@ func (r Resolver) SetupOIDC(ctx context.Context, engine gin.Engine) ([]gin.Han`
`272`	`272`
`273`	`273`	`goth.UseProviders(provider)`
`274`	`274`
`275`		`- auth.Setup(engine, r.config.OpenIDConnect.BasePath(), "openid-connect", r.config.TempDir)`
	`275`	`+ auth.Setup(engine, r.config.OpenIDConnect.BasePath(), r.config.AuthGroupClaim(), "openid-connect", r.config.TempDir)`
`276`	`276`
`277`	`277`	`return []gin.HandlerFunc{auth.Provider("openid-connect"), auth.Auth(r.config.OpenIDConnect.BasePath())}, nil`
`278`	`278`	`}`
`@@ -369,7 +369,7 @@ func (r Resolver) Server(ctx context.Context) (server.Server, error) {`
`369`	`369`	`if !r.config.UI.Disabled {`
`370`	`370`	`var uiMiddleware []gin.HandlerFunc`
`371`	`371`	`if r.config.AuthEnabled() {`
`372`		`- uiMiddleware = append(uiMiddleware, auth.Valid(r.config.AuthBasePath()))`
	`372`	`+ uiMiddleware = append(uiMiddleware, auth.Valid(r.config.AuthBasePath(), r.config.AuthGroupClaim()))`
`373`	`373`	`}`
`374`	`374`
`375`	`375`	`zap.L().Info("register UI", zap.String("path", r.config.UI.Path))`
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ func (h Handler) Config(ctx gin.Context) {`
`36`	`36`
`37`	`37`	`clusters := make([]Cluster, 0, len(h.config.Clusters))`
`38`	`38`	`for _, cl := range h.config.Clusters {`
`39`		`- access := cl.AllowedEmail(profile.Email)`
	`39`	`+ access := cl.Allowed(profile)`
`40`	`40`	`if access {`
`41`	`41`	`clusters = append(clusters, cl)`
`42`	`42`	`}`
`@@ -69,7 +69,7 @@ func (h Handler) ListCustomBoards(ctx gin.Context) {`
`69`	`69`
`70`	`70`	`func (h Handler) ListPolicySources(ctx gin.Context) {`
`71`	`71`	`if profile := auth.ProfileFrom(ctx); profile != nil {`
`72`		`- if !h.config.Boards.AllowedEmail(profile.Email) {`
	`72`	`+ if !h.config.Boards.Allowed(profile) {`
`73`	`73`	`ctx.AbortWithStatus(http.StatusUnauthorized)`
`74`	`74`	`return`
`75`	`75`	`}`
`@@ -153,7 +153,7 @@ func (h Handler) GetCustomBoard(ctx gin.Context) {`
`153`	`153`	`}`
`154`	`154`
`155`	`155`	`if profile := auth.ProfileFrom(ctx); profile != nil {`
`156`		`- if !config.AllowedEmail(profile.Email) {`
	`156`	`+ if !config.Allowed(profile) {`
`157`	`157`	`ctx.AbortWithStatus(http.StatusUnauthorized)`
`158`	`158`	`return`
`159`	`159`	`}`
`@@ -252,14 +252,14 @@ func (h Handler) Layout(ctx gin.Context) {`
`252`	`252`	`boards = make(map[string]CustomBoard, len(h.customBoards))`
`253`	`253`
`254`	`254`	`for key, board := range h.customBoards {`
`255`		`- if !board.AllowedEmail(profile.Email) {`
	`255`	`+ if !board.Allowed(profile) {`
`256`	`256`	`continue`
`257`	`257`	`}`
`258`	`258`
`259`	`259`	`boards[key] = board`
`260`	`260`	`}`
`261`	`261`
`262`		`- if !h.config.Boards.AllowedEmail(profile.Email) {`
	`262`	`+ if !h.config.Boards.Allowed(profile) {`
`263`	`263`	`sources = nil`
`264`	`264`	`}`
`265`	`265`	`} else {`
`@@ -277,7 +277,7 @@ func (h Handler) Layout(ctx gin.Context) {`
`277`	`277`
`278`	`278`	`func (h Handler) Dashboard(ctx gin.Context) {`
`279`	`279`	`if profile := auth.ProfileFrom(ctx); profile != nil {`
`280`		`- if !h.config.Boards.AllowedEmail(profile.Email) {`
	`280`	`+ if !h.config.Boards.Allowed(profile) {`
`281`	`281`	`ctx.AbortWithStatus(http.StatusUnauthorized)`
`282`	`282`	`return`
`283`	`283`	`}`
`@@ -334,7 +334,7 @@ func (h Handler) Dashboard(ctx gin.Context) {`
`334`	`334`
`335`	`335`	`func (h Handler) Policies(ctx gin.Context) {`
`336`	`336`	`if profile := auth.ProfileFrom(ctx); profile != nil {`
`337`		`- if !h.config.Boards.AllowedEmail(profile.Email) {`
	`337`	`+ if !h.config.Boards.Allowed(profile) {`
`338`	`338`	`ctx.AbortWithStatus(http.StatusUnauthorized)`
`339`	`339`	`return`
`340`	`340`	`}`