You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
The enforcer seems to ignore the remaining components of the matcher when one of its evaluated expressions contains an x || y condition. However, it works as intended when the condition is wrapped in parentheses (x || y). The issue is not reproducible in the live editor but I've created a Go repl.it for a simple repro.
To Reproduce
Create a model.conf file with content as follows:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub_rule, obj_rule, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = eval(p.sub_rule) && eval(p.obj_rule) && (p.act == '*' || r.act == p.act)
Create a policy.conf file with an expression containing an OR (||) - for simplicity let's just have a dummy || false:
Execute the code below - check whether admin can write resource of type definitely NOT users:
package main
import (
"fmt""embed""github.com/casbin/casbin/v2"
casbin_fs_adapter "github.com/naucon/casbin-fs-adapter""github.com/pkg/errors"
)
//go:embed model.conf policy.confvarf embed.FStypesubjectstruct {
Rolestring
}
typeobjectstruct {
ResourceTypestringRolestring
}
funcmain() {
model, err:=casbin_fs_adapter.NewModel(f, "model.conf")
iferr!=nil {
panic(err)
}
policies:=casbin_fs_adapter.NewAdapter(f, "policy.conf")
e, err:=casbin.NewEnforcer(model, policies)
iferr!=nil {
panic(errors.Wrap(err, "failed to initialize casbin enforcer"))
}
s:=subject{Role: "admin"}
o:=object{ResourceType: "definitely NOT users"}
a:="write"res, err:=e.Enforce(s, o, a)
iferr!=nil {
panic(errors.Wrap(err, "failed to authorize resource access"))
}
fmt.Println("enforce res:", res)
}
The result of the Enforce call is true even though it clearly should be false since 'users' != 'definitely NOT users'
Now change the policy so that the condition is wrapped in parentheses i.e.: p, (r.sub.Role == 'admin' || false), r.obj.ResourceType == 'users', write
The result of the Enforce is false as expected.
Expected behavior
Parentheses shouldn't matter in this case IMHO - the current behavior is quite confusing especially that it doesn't affect AND conditions.
The text was updated successfully, but these errors were encountered:
Describe the bug
The enforcer seems to ignore the remaining components of the matcher when one of its evaluated expressions contains an
x || y
condition. However, it works as intended when the condition is wrapped in parentheses(x || y)
. The issue is not reproducible in the live editor but I've created a Go repl.it for a simple repro.To Reproduce
model.conf
file with content as follows:policy.conf
file with an expression containing an OR (||
) - for simplicity let's just have a dummy|| false
:admin
canwrite
resource of typedefinitely NOT users
:Enforce
call istrue
even though it clearly should befalse
since'users' != 'definitely NOT users'
p, (r.sub.Role == 'admin' || false), r.obj.ResourceType == 'users', write
Enforce
isfalse
as expected.Expected behavior
Parentheses shouldn't matter in this case IMHO - the current behavior is quite confusing especially that it doesn't affect AND conditions.
The text was updated successfully, but these errors were encountered: