Question: How to use casbin with default deny rule?

[zzzz0317]

I created a new organization with some apps. However, I found that I can't create a rule for "app-built-in".
And when I changed the Casbin model to this, all users had all app's permissions.

r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act

I hope this system can achieve that users can only log in to "app-built-in" unless explicitly authorized for a specific application.

[casbin-bot]

@seriouszyx @ComradeProgrammer @Resulte

[zzzz0317]

I have 3 app in new organization, and 1 app in built-in organization.

[hsluoyz]

@zzzz0317 users can only log in to "app-built-in" unless explicitly authorized for a specific application. is a wrong concept. This cannot be done. All users for the built-in org (and the app-built-in app) are global admins. Their permissions cannot be restricted by Casbin permission.

See: https://casdoor.org/docs/basic/core-concepts/#how-does-casdoor-manage-itself

[zzzz0317]

@hsluoyz My point is that users in the built-in organization are all high-privileged administrators. For users from other organizations, by default, they are only allowed to log in to a few specific applications. If they don't have administrator authorization, a specific role, or are not part of a specific group, they cannot log in to other applications.