Authorization Rule

Schema Definition

Schema definition for https://pagelove.org/https://pagelove.org/AuthorizationRule type
Name	Type	Cardinality	Description
actor	https://schema.org/Text	1..n	The name of the actor - either a user or a group - the rule applies to
resource	https://schema.org/Text	1..n	The name of the resource this rule is applied to
method	https://schema.org/Text	1..n	The HTTP method this rule applies to
selector	https://schema.org/Text	0..1	Optionally, a CSS selector defining the constrained element
action	https://schema.org/Text	1	The action to take when this rule matches

Description

AuthorizationRule is an HTML microdata schema that defines who can perform which HTTP methods on which resources, optionally constrained to which elements inside those resources.

In other words, each rule answers the question:

Can this actor perform this HTTP method on this file, and if so, on which elements inside it?

Rules are evaluated by the Pagelove server as part of request handling and are expressed directly inside your site as structured HTML, rather than in a separate policy language or configuration file.

Concepts

Actor

The actor identifies the subject the rule applies to.

A user name (for example alice)
A group name (for example admins)
The wildcard * to match all actors

Multiple actor values may be supplied to express OR semantics.

Resource

The resource property identifies the file or set of files the rule applies to. Values are treated as path patterns (for example /admin/*).

At least one resource is required.

Method

The method property lists one or more HTTP methods the rule applies to, such as GET, POST, PUT, or DELETE.

Selector (optional)

If present, selector restricts the rule to only apply to elements inside the matched resource that satisfy the given CSS selector.

If omitted, the rule applies to the entire document.

This allows authorization to be expressed at element granularity, not just at the file level.

Action

The action defines the outcome when the rule matches. Common values are:

Allow
Deny

The exact conflict‑resolution strategy (for example, first‑match or deny‑overrides) is defined by the Pagelove authorization engine.

Matching model (informal)

A rule matches a request if:

The request actor matches one of the rule’s actor values (or *).
The request path matches one of the rule’s resource patterns.
The request HTTP method matches one of the rule’s method values.
If a selector is present, the request targets at least one element matching that selector.

If all conditions match, the rule’s action is applied.

Example: simple blog admin interface

Assume a blog engine with an administrative UI under /admin/.

The following table encodes several authorization rules using HTML microdata:

<table itemscope itemtype="https://pagelove.org/AuthorizationRule">
  <thead>
    <tr>
      <th>Actor</th>
      <th>Resource</th>
      <th>Method(s)</th>
      <th>Selector</th>
      <th>Action</th>
    </tr>
  </thead>
  <tbody>

    <!-- Everyone can read everything by default -->
    <tr>
      <td itemprop="actor">*</td>
      <td itemprop="resource">/*</td>
      <td itemprop="method">GET</td>
      <td itemprop="selector"></td>
      <td itemprop="action">Allow</td>
    </tr>

    <!-- Non-admin users cannot access /admin -->
    <tr>
      <td itemprop="actor">*</td>
      <td itemprop="resource">/admin/*</td>
      <td itemprop="method">GET</td>
      <td itemprop="selector"></td>
      <td itemprop="action">Deny</td>
    </tr>

    <!-- Admins can access /admin -->
    <tr>
      <td itemprop="actor">admins</td>
      <td itemprop="resource">/admin/*</td>
      <td itemprop="method">GET</td>
      <td itemprop="selector"></td>
      <td itemprop="action">Allow</td>
    </tr>

    <!-- Admins can create new posts -->
    <tr>
      <td itemprop="actor">admins</td>
      <td itemprop="resource">/admin/posts/*</td>
      <td>
        <ul>
          <li itemprop="method">POST</li>
        </ul>
      </td>
      <td itemprop="selector">li#posts</td>
      <td itemprop="action">Allow</td>
    </tr>

    <!-- Admins can delete existing posts -->
    <tr>
      <td itemprop="actor">admins</td>
      <td itemprop="resource">/admin/posts/*</td>
      <td>
        <ul>
          <li itemprop="method">DELETE</li>
        </ul>
      </td>
      <td itemprop="selector">li#posts li[itemprop="*Post"]</td>
      <td itemprop="action">Allow</td>
    </tr>

    <!-- Admins can update fields within posts -->
    <tr>
      <td itemprop="actor">admins</td>
      <td itemprop="resource">/admin/posts/*</td>
      <td>
        <ul>
          <li itemprop="method">PUT</li>
        </ul>
      </td>
      <td itemprop="selector">li#posts li[itemprop="*Post"] > [itemprop]</td>
      <td itemprop="action">Allow</td>
    </tr>

  </tbody>
</table>