Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
`getImplicitPermissionsForUser` doesn't work when used with domains
See original GitHub issuegetImplicitPermissionsForUser doesn’t seems to work with domains. If used without domains, We can get Implicit permissions.
Model
[request_definition]
r = sub, cid, lid, obj, act
[policy_definition]
p = sub, cid, lid, obj, act, rule, eft
[role_definition]
g = _, _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub.id+'::'+r.sub.type, p.sub, r.cid+'::'+r.lid) \
&& keyMatch(r.cid, p.cid) \
&& keyMatch(r.lid,p.lid) \
&& regexMatch(r.act,p.act) \
&& keyMatch2(r.obj, p.obj) \
&& eval(p.rule)
Policy
p, employee, *, *, /e/:eid, update, "r.sub.id == keyGet2(r.obj,p.obj, 'eid')"
p, employee, *, *, /e/:eid, get, true
p, admin, *, *, /e/:eid, update, true
p, kiosk, cid3, lid1, /kiosk/:kid, (get)|(update), true
p, admin, cid3, lid1, /kiosk/:kid, (get)|(update), true
g,admin, location-admin, *
g,location-admin, receptionist, *
g,receptionist, employee, *
g,billing-admin, employee, *
g, alice, admin, cid3::*
g, eid1, admin, cid2::*
g, *, employee, *
g, tk, kiosk, cid3::lid1
Code:
import { Enforcer, DefaultRoleManager, Util } from "casbin";
import { join as pathJoin } from 'path';
export class AccessControl {
private static _instance: AccessControl;
// private adapter: Adapter;
public defaultEnforcer: Enforcer;
// eslint-disable-next-line @typescript-eslint/no-empty-function
private constructor() {
const e = new Enforcer();
e.enableAutoSave(true);
e.enableLog(true);
this.defaultEnforcer = e;
}
public static async getInstance(): Promise<AccessControl> {
if (!AccessControl._instance) {
const instance = new AccessControl();
AccessControl._instance = instance;
await instance.defaultEnforcer.initWithFile(pathJoin(__dirname, '../rbac-model.conf'), pathJoin(__dirname, '../rbac-policies.csv'));
//load default policies
// await instance.defaultEnforcer.loadPolicy();
// register matching custom functions to enforcer
await (instance.defaultEnforcer.getRoleManager() as DefaultRoleManager).addDomainMatchingFunc(Util.keyMatchFunc);
await instance.addActionMatchFunc(instance.defaultEnforcer);
await instance.addRSubMatchForGFunc(instance.defaultEnforcer);
}
return AccessControl._instance;
}
/**
* adds request subject and group subject matching function which is called when model's g() is called
* @param e enforcer to which rSubMatchForG need to be added
*/
private async addRSubMatchForGFunc(e: Enforcer) {
const rSubMatchForG = (rSub: string, gSub: string) => {
const [uid, type] = rSub.split('::');
if (gSub === '*') return type === 'employee'
return uid === gSub;
}
await (e.getRoleManager() as DefaultRoleManager).addMatchingFunc(rSubMatchForG);
}
private async addActionMatchFunc(e: Enforcer) {
await e.addFunction('actionMatch', (...args) => {
const key1: string = args[0].toString();
const key2: string = args[1].toString();
if (!key1 || !key2) return false;
return key2.split('|').includes(key1);
})
}
}
await defaultEnforcer.getImplicitPermissionsForUser('alice', 'cid3::*'); this results in empty array for user alice
Issue Analytics
- State:
- Created 2 years ago
- Comments:8 (6 by maintainers)
Top Results From Across the Web
get implicit permissions for a user per domain is not working ...
Hi, I need some help. I have an RBAC model with object hierarchy. The enforcer works fine, the rules are applied and the...
Read more >RBAC API - Casbin
AddRoleForUser adds a role for a user. Returns false if the user already has the role (aka not affected). For example: Go; Node.js;...
Read more >[Question] Get roles for user with matcher_functions in ... - Issuehunt
@PhilippSeitz you can call GetImplicitPermissionsForUser() . ... But i want to get all permissions across domains (not really used as domains here).
Read more >gauth package - github.com/team-seaweed/gauth - Go Packages
DeleteRoleForUserInDomain deletes a role for a user inside a domain. Returns false if the user does not have the role (aka not affected)....
Read more >casbin/gsoc - Gitter
I want to work on implementing adapters in nodejs for databases mentioned in ... projects in the rust domain, I'll write a proposal...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@hariprasadiit I think it is. Domain argument is designed to to be a list, but only
domain[0]will be use.Thanks for the heads up
I’ve gone through function code and found out that, that implementation doesn’t work for my specific case but works in general. I’m concatenating two domain into one for
g, liker.cid+'::'+r.lid, function to support my use case as default role manager can’t handle two domains, which confusesgetImplicitPermissionsForUser. Now I know how to implement my owngetImplicitPermissionsForUser.@Zxilly Thanks for the help. Could you please confirm if default role manager can only handle one domain for now? I mean can I have
g = _, _, _, _in the model?