Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limitation of the GetImplicitUsersForResource() #1309

Open
JK-97 opened this issue Aug 28, 2023 · 3 comments
Open

Limitation of the GetImplicitUsersForResource() #1309

JK-97 opened this issue Aug 28, 2023 · 3 comments
Assignees
@hsluoyz
Labels
enhancement question
Projects
Casbin Easy Tasks for Beginners/Stude...

Comments

@JK-97
Copy link

JK-97 commented Aug 28, 2023
edited

Want to prioritize this issue? Try:

issuehunt-to-marktext

What's your scenario? What do you want to achieve?
Your answer here

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && keyMatch(r.obj, p.obj) && (r.act == p.act || p.act == "*")

Your policy:

p, admin_group, admin_data, *
g, admin, admin_group
g2, app, admin_data

Your request(s):

users, err := r.enforcer.GetImplicitUsersForResource("app")

Can not find user for resource for app. is there any other elegant way to get users?

Wrote my opinion in the comments below

func (e *Enforcer) GetImplicitUsersForResource(resource string) ([][]string, error) {
	permissions := make([][]string, 0)
	subjectIndex, _ := e.GetFieldIndex("p", "sub")
	objectIndex, _ := e.GetFieldIndex("p", "obj")
	rm := e.GetRoleManager()

	isRole := make(map[string]bool)
	for _, role := range e.GetAllRoles() {
		isRole[role] = true
	}

	for _, rule := range e.model["p"]["p"].Policy {
		obj := rule[objectIndex]
		if obj != resource {  // The role of resource is not processed.
			continue
		}

		sub := rule[subjectIndex]

		if !isRole[sub] {
			permissions = append(permissions, rule)
		} else {
			users, err := rm.GetUsers(sub)
			if err != nil {
				return nil, err
			}

			for _, user := range users {
				implicitUserRule := deepCopyPolicy(rule)
				implicitUserRule[subjectIndex] = user
				permissions = append(permissions, implicitUserRule)
			}
		}
	}

	res := removeDuplicatePermissions(permissions)
	return res, nil
}
@JK-97 JK-97 added the question label Aug 28, 2023
@casbin-bot
Copy link
Member

@tangyang9464 @JalinWang

@hsluoyz
Copy link
Member

hsluoyz commented Aug 28, 2023

@PokIsemaine

@PokIsemaine
Copy link
Member

@JK-97 Thanks for your feedback, GetImplicitUsersForResource does not currently support matching obj and resource based on g type, and we will update it in a later release

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hsluoyz hsluoyz

Labels
enhancement question
Projects
Casbin Easy Tasks for Beginners/Stude...
Casbin Easy Tasks
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hsluoyz @JK-97 @PokIsemaine @casbin-bot