RBAC deleteUser does not work correctly and is not tested

[Sefriol]

Coveralls
Source

I think deleteUser should follow similar idea as deleteRole:

public async deleteUser(user: string): Promise<boolean> {
    const res1 = await this.removeFilteredGroupingPolicy(0, user);
    const res2 = await this.removeFilteredPolicy(0, user);
    return res1 || res2;
}

Since we want to remove assigned grouping policy and policies assigned to that user. Now when using mongoose-adapter, it will just remove user grouping policies, leaving normal policies still into the database. With code above, I was able to fix this.

[Sefriol]

Created related tests for mongoose-adapter

[nodece]

@hsluoyz what do you think?

[Sefriol]

I'll create a pull request with RBAC tests and required changes.

[hsluoyz]

@nodece @Sefriol can you check how Golang's Casbin handle it? I want all Casbin implementations to follow the same behavior on this.

[Sefriol]

#119

[Sefriol]

@hsluoyz Is the function properly tested in Golang? Since implementation looks the same, so issue should be the same. Unless the implementation of removeFilteredGroupingPolicy() is different in golang.

However, in golang tests it does not seem like user permission tests are correct.

In line 107 I think alice should have no rights for data1 after she was deleted.

[hsluoyz]

Hi @Sefriol , I think you are right. Both Golang and Node.js Casbin have wrong implementation. Can you make a PR for Golang too to fix the code and test?

[Sefriol]

I'll update the PR later on today. Golang does not seem to be that complicated either, but it has been awhile since I worked on Golang-project.

[nodece]

🎉 This issue has been resolved in version 4.1.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀