Comments (3)
from casbin.
Sadly that's not so simple as you expect.
The problem is that enforcer would try to find only one role from g
or g2
which meet reqirement, not one from g
and one from g2
.
Your model is more likely a RBAC with Domains model, since there is no relationship between roles
and entitlements
. Currently casbin is not good at implementing multi-positive check. And I didn't find a way to perfectly implement your model.
Anyway, here is a working solution.
model:
[request_definition]
r = sub, dom, obj, act
[policy_definition]
p = sub, dom, obj, act
[role_definition]
g = _, _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub, r.dom) && r.obj == p.obj && r.act == p.act
policy:
p, basic, entitlement, basic_feature, read
p, basic, entitlement, basic_feature, write
p, premium, entitlement, premium_feature, read
p, premium, entitlement, premium_feature, write
p, admin, role, basic_feature, read
p, admin, role, basic_feature, write
p, admin, role, premium_feature, read
p, admin, role, premium_feature, write
p, auditor, role, basic_feature, read
p, auditor, role, premium_feature, read
# alice is an admin that has purchased the premium feature
g, alice, admin, role
g, alice, basic, entitlement
g, alice, premium, entitlement
# bob is an admin on a free account
g, bob, admin, role
g, bob, basic, entitlement
# charlie is an auditor that has purchased the premium feature
g, charlie, auditor, role
g, charlie, basic, entitlement
g, charlie, premium, entitlement
# derek is an auditor on a free account
g, derek, auditor, role
g, derek, basic, entitlement
code:
func Test_1384(t *testing.T) {
e, _ := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")
testMultiDomainEnforce := func(t *testing.T, e *Enforcer, sub, obj, act string, res bool) {
t.Helper()
res1, err := e.Enforce(sub, "role", obj, act)
if err != nil {
t.Errorf("Enforce Error: %s", err)
return
}
res2, err := e.Enforce(sub, "entitlement", obj, act)
if err != nil {
t.Errorf("Enforce Error: %s", err)
return
}
if res != res1 && res2 {
t.Errorf("%s, %s, %s: %t %t, supposed to be %t", sub, obj, act, res1, res2, res)
}
// Pass
}
testMultiDomainEnforce(t, e, "alice", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "alice", "basic_feature", "write", true)
testMultiDomainEnforce(t, e, "alice", "premium_feature", "read", true)
testMultiDomainEnforce(t, e, "alice", "premium_feature", "write", true)
testMultiDomainEnforce(t, e, "bob", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "bob", "basic_feature", "write", true)
testMultiDomainEnforce(t, e, "bob", "premium_feature", "read", false)
testMultiDomainEnforce(t, e, "bob", "premium_feature", "write", false)
testMultiDomainEnforce(t, e, "charlie", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "charlie", "basic_feature", "write", false)
testMultiDomainEnforce(t, e, "charlie", "premium_feature", "read", true)
testMultiDomainEnforce(t, e, "charlie", "premium_feature", "write", false)
testMultiDomainEnforce(t, e, "derek", "basic_feature", "read", true)
testMultiDomainEnforce(t, e, "derek", "basic_feature", "write", false)
testMultiDomainEnforce(t, e, "derek", "premium_feature", "read", false)
testMultiDomainEnforce(t, e, "derek", "premium_feature", "write", false)
}
from casbin.
appreciated!
from casbin.
Related Issues (20)
- [Bug]`GetRolesForUser("userId")` will raise nil error when using RBAC with conditions. HOT 5
- [Bug] nil pointer panic when calling role related functions with no role definition model HOT 2
- [Question] Implement row-level and column-level authorization for data in DB HOT 3
- [Feature] improve code quality by involve strict static check HOT 1
- [Question] Establish rules of users of different organizations visibility HOT 5
- [Question] Effects are ignored for any policy/request other than the first one HOT 3
- casbin casbin to save or delete rules occurrence Can't call commit when autocommit=true exception HOT 2
- [Bug] Running Enforce and LoadPolicy concurrently can lead to cached errors in role-user relationships HOT 1
- [Question]update user roles failed HOT 4
- [Question] get matched role from user? HOT 2
- [Bug] keyMatch3 gives false positive to malformed expression in Golang casbin library HOT 2
- [Bug] RBAC Pattern not working with Conditions HOT 1
- [Question] Why is the permission check inconsistent HOT 6
- [Bug] Why breaking changes are introduced in minor releases? HOT 2
- [question] Unexpected behaviour group match HOT 3
- [Feature] Add the interface for FilteredAdapterCtx HOT 2
- [Question] error: domain should be 1 parameter HOT 2
- [Question] loading policies from two places HOT 2
- [Bug] Role hierarchy level behaviour inconsist with document HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from casbin.