casbin icon indicating copy to clipboard operation
casbin copied to clipboard
verified publisher icon casbin

How can I make some resource to 'premium user only'?

Open LLLLLQ-4 opened this issue 7 months ago • 2 comments

Want to prioritize this issue? Try:

issuehunt-to-marktext

What's your scenario? What do you want to achieve? I want to protect /premium/* from /*. When I define /* as root_path and /premium/* as premium_path, my model and policy work well as follows:

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

Your policy:

g, alice, user
g, jdoe, user
g, jdoe, user_premium

p, user, root_path, access
p, user_premium, root_path, access

p, user_premium, premium_path, access

Your request(s):

--- Testing Protected Resource Access ---
alice can access root_path: ALLOWED
jdoe can access root_path: ALLOWED

--- Testing Premium Resource Access ---
alice can access premium_path: DENIED
jdoe can access premium_path: ALLOWED

However, when I specify root_path and premium_path with their values, the results go wrong. And I have no clue to figure it out:

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && r.act == p.act

Your policy:

g, alice, user
g, jdoe, user
g, jdoe, user_premium

p, user, /*, access
p, user_premium, /*, access

p, user_premium, /premium/*, access

Your request(s):

alice can access /premium/123: ALLOWED
jdoe can access /premium/123: ALLOWED

LLLLLQ-4 avatar Jun 03 '25 12:06 LLLLLQ-4

try

model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && r.act == p.act && (p.eft != "deny" || !g(r.sub, "user_premium"))

policy:

g, alice, user
g, jdoe, user
g, jdoe, user_premium

p, user, /*, access, allow
p, user, /premium/*, access, deny
p, user_premium, /premium/*, access, allow

Image

imp2002 avatar Jun 09 '25 16:06 imp2002

Thanks. So, a policy doesn't implicitly deny when an object matches but the subject doesn't.

LLLLLQ-4 avatar Jun 10 '25 02:06 LLLLLQ-4

Closed as resolved

hsluoyz avatar Jul 13 '25 03:07 hsluoyz