authentik/docs/policies/expression.md

1.4 KiB

Expression Policies

!!! notice These variables are available in addition to the common variables/functions defined in Expressions

The passing of the policy is determined by the return value of the code. Use return True to pass a policy and return False to fail it.

Available Functions

pb_message(message: str)

Add a message, visible by the end user. This can be used to show the reason why they were denied.

Example:

pb_message("Access denied")
return False

Context variables

  • request: A PolicyRequest object, which has the following properties:
    • request.user: The current user, against which the policy is applied. (ref)
    • request.http_request: The Django HTTP Request. (ref)
    • request.obj: A Django Model instance. This is only set if the policy is ran against an object.
    • request.context: A dictionary with dynamic data. This depends on the origin of the execution.
  • pb_is_sso_flow: Boolean which is true if request was initiated by authenticating through an external provider.
  • pb_client_ip: Client's IP Address or '255.255.255.255' if no IP Address could be extracted. Can be compared
  • pb_flow_plan: Current Plan if Policy is called from the Flow Planner.