fix: abac not using policy

php-casbin · Nov 26, 2021 · f728d2c · f728d2c
1 parent 88994ef
commit f728d2c
Show file tree

Hide file tree

Showing 4 changed files with 37 additions and 1 deletion.
diff --git a/examples/abac_not_using_policy_model.conf b/examples/abac_not_using_policy_model.conf
@@ -0,0 +1,11 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+m = r.sub == r.obj.owner
diff --git a/examples/abac_rule_effect_policy.csv b/examples/abac_rule_effect_policy.csv
@@ -0,0 +1,4 @@
+p, alice, /data1, read, deny
+p, alice, /data1, write, allow
+p, bob, /data2, write, deny
+p, bob, /data2, read, allow
diff --git a/src/CoreEnforcer.php b/src/CoreEnforcer.php
@@ -640,7 +640,7 @@ protected function enforcing(string $matcher, &$explains = [], ...$rvals): bool
         $explainIndex = 0;
 
         $policyLen = \count($this->model['p'][$pType]->policy);
-        if (0 != $policyLen) {
+        if (0 != $policyLen && (strpos($expString, $pType . '_') !== false)) {
             foreach ($this->model['p'][$pType]->policy as $policyIndex => $pvals) {
                 $parameters = array_combine($pTokens, $pvals);
                 if (false == $parameters) {

diff --git a/tests/Unit/Model/ModelTest.php b/tests/Unit/Model/ModelTest.php
@@ -8,6 +8,7 @@
 use Casbin\Rbac\DefaultRoleManager\RoleManager;
 use Casbin\Util\BuiltinOperations;
 use PHPUnit\Framework\TestCase;
+use stdClass;
 
 /**
  * ModelTest.
@@ -18,6 +19,14 @@ class ModelTest extends TestCase
 {
     private $modelAndPolicyPath = __DIR__ . '/../../../examples';
 
+    public static function newTestResource(string $name, string $owner): stdClass
+    {
+        $r = new stdClass();
+        $r->name = $name;
+        $r->owner = $owner;
+        return $r;
+    }
+
     public function testLoadModelFromText()
     {
         $text = <<<'EOT'
@@ -53,6 +62,18 @@ public function testLoadModelFromText()
         $this->assertTrue($e->enforce('bob', 'data2', 'write'));
     }
 
+    public function testABACNotUsingPolicy()
+    {
+        $e = new Enforcer($this->modelAndPolicyPath . '/abac_not_using_policy_model.conf', $this->modelAndPolicyPath . '/abac_rule_effect_policy.csv');
+        $data1 = self::newTestResource('data1', 'alice');
+        $data2 = self::newTestResource('data2', 'bob');
+
+        $this->assertEquals($e->enforce('alice', $data1, 'read'), true);
+        $this->assertEquals($e->enforce('alice', $data1, 'write'), true);
+        $this->assertEquals($e->enforce('alice', $data2, 'read'), false);
+        $this->assertEquals($e->enforce('alice', $data2, 'write'), false);
+    }
+
     public function testABACPolicy()
     {
         $e = new Enforcer($this->modelAndPolicyPath . '/abac_rule_model.conf', $this->modelAndPolicyPath . '/abac_rule_policy.csv');