casbin
casbin copied to clipboard
Published
20 hours ago •
casbin
casbin
Limitation of the GetImplicitUsersForResource()
Want to prioritize this issue? Try:
What's your scenario? What do you want to achieve? Your answer here
Your model:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
g2 = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")
Your policy:
p, admin_group, admin_data, *
g, admin, admin_group
g2, app, admin_data
Your request(s):
users, err := r.enforcer.GetImplicitUsersForResource("app")
Can not find user for resource for app. is there any other elegant way to get users?
Wrote my opinion in the comments below
func (e *Enforcer) GetImplicitUsersForResource(resource string) ([][]string, error) {
permissions := make([][]string, 0)
subjectIndex, _ := e.GetFieldIndex("p", "sub")
objectIndex, _ := e.GetFieldIndex("p", "obj")
rm := e.GetRoleManager()
isRole := make(map[string]bool)
for _, role := range e.GetAllRoles() {
isRole[role] = true
}
for _, rule := range e.model["p"]["p"].Policy {
obj := rule[objectIndex]
if obj != resource { // The role of resource is not processed.
continue
}
sub := rule[subjectIndex]
if !isRole[sub] {
permissions = append(permissions, rule)
} else {
users, err := rm.GetUsers(sub)
if err != nil {
return nil, err
}
for _, user := range users {
implicitUserRule := deepCopyPolicy(rule)
implicitUserRule[subjectIndex] = user
permissions = append(permissions, implicitUserRule)
}
}
}
res := removeDuplicatePermissions(permissions)
return res, nil
}
@JK-97 Thanks for your feedback, GetImplicitUsersForResource does not currently support matching obj and resource based on g type, and we will update it in a later release
