Hello, recently I'm having another issue, while creating a new user/role, I would like to assign some default rights for it.

We can definitly call multiple times addPolicy but it cannot guarantee that all the default policies have been added, I'm risking having an invalid user in that case.

So I'm thinking if we could have some wrappers like addPolicies, removePolicies.

addPolicies returns Promise<true> only if all the policies have been added, if one of them fails then it cancels this operation (remove the ones have been added)

removePolicies is similar.

Hey,

firstly thanks for this awesome library!

I noticed that the frontend casbin library uses this under-the-hood, so I'm using this library on both microservice and Frontend.

However, I'd love to be able to use this library on React Native - which would work, but because the model loading from file uses the fs library, I can't.

How likely/possible would it be to extract out model loading from a file/file handling to be a plugin/adapter to remove the need for fs? (I load the model and policy dynamically from the microservice).

Thanks!

By default, the adapter is creating id, ptype, v0, v1, v2, v3, v4 columns if not exist Can I add more columns to handle the application policies Like application_id as v5, group_id as v6,... etc

I tried to add the columns but during the retrieval, it's returning only the columns which is created by the adapter.

Was wondering if anyone else is experiencing a slow down even with a relatively low number of policies.

For our ~20k policies we notice it takes around 5 seconds to evaluate them.

Here is our conf.

[request_definition]
r = type, resourceId, userId, action

[policy_definition]
p = type, resourceId, userId, action

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.type == p.type && r.resourceId == p.resourceId && r.userId == p.userId && r.action == p.action

We have seemed to narrowed it down to this line in coreEnforcer.ts

Switching from compileAsync to compile and removing the await brought us down to around 40ms with the same amount of policies.

When importing casbin in a typescript project for Angular I get this error:

For the Model class I've solved by importing like this:

import { Model } from "casbin/lib/esm/model";

But for newEnforcer there is no way to work around that issue. Am I missing something?

getting this error working in react typescript application. Please fix it

Module parse failed: Unexpected token (158:32) File was processed with these loaders:

• ./node_modules/babel-loader/lib/index.js You may need an additional loader to handle the result of these loaders. | async buildIncrementalRoleLinks(rm, op, sec, ptype, rules) { | if (sec === 'g') {

  await this.model.get(sec)?.get(ptype)?.buildIncrementalRoleLinks(rm, op, rules);

| } | } // buildRoleLinks initializes the roles in RBAC.

I see that the return type of function signature in interface RoleManager are not async value. In fact, all functions related to IO operation in JavaScript should be async, for example:

getRoles(name: string, ...domain: string[]): string[]; Perhaps it will query database So it should be

getRoles(name: string, ...domain: string[]): Promise<string[]>

for compatibility, maybe it can be getRoles(name: string, ...domain: string[]): Promise<string[]> | string[]

thoughts?

@nodece @hsluoyz

Hi, I'm using casbin 5.6.1 and wanted to use the function casbinJsGetPermissionForUser to retrieve the list of permissions associated to a user on request, but it returns only a string representation of the model.

The code doesn't seem to use the user passed in argument.

I also tried to use await enforcer.getImplicitPermissionsForUser(user); but it returns empty

this is my model

[request_definition]
r = user, domain, path, method

[policy_definition]
p = role, domain, path, method

[role_definition]
# map user, role and domain
g = _, _, _
# mapping id to global resource
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
# map user request to correct role, and validte path and method requested are allowed
m = g(r.user, p.role, r.domain) && g2(r.domain, p.domain) && keyMatch2(r.path, p.path) && regexMatch(r.method, p.method)

and the policy

# only correct role can do correct call to these
p, role:owner, workflow_api, /workflow/:id, (get)|(put)
p, role:admin, workflow_api, /workflow/:id, get

# gloabl role hierarchy
g, role:super_admin, role:owner, *

# map user roles to WF ids
g, User1, role:owner, wf1
g, User2, role:admin, wf1
g, User3, role:owner, wf2

# reference the new id to be a valid workflow
g2, wf1, workflow_api
g2, wf2, workflow_api

Enforcer itself works fine.

How can i get the implicit list of roles of my users ?

I have the following role definition:

[role_definition]
g = _, _, _

But, when I am trying to add a role for a user, the function addRoleForUser accepts only two parameters (it is hardcoded), so I can not provide the domain.

Here is the test-case I wrote to check that:

    it('Should properly add new role to user and remove it from the enforcer', async () => {
        const enforcer = await getEnforcer();

        assert.deepEqual(await enforcer.getGroupingPolicy(), []);
        // here I am trying to add role, but signature for the method accepts only user and role
        assert.isTrue(await enforcer.addRoleForUser('subject', 'role', 'domain'));
    });

So, as a result, I am getting the following error:

Error: grouping policy elements do not meet role definition
      at Assertion.buildRoleLinks (node_modules/casbin/lib/model/assertion.js:40:23)
      at astMap.forEach.value (node_modules/casbin/lib/model/model.js:123:19)
      at Map.forEach (<anonymous>)
      at Model.buildRoleLinks (node_modules/casbin/lib/model/model.js:122:16)
      at Enforcer.buildRoleLinks (node_modules/casbin/lib/coreEnforcer.js:246:20)
      at Enforcer.<anonymous> (node_modules/casbin/lib/managementEnforcer.js:339:22)
      at Generator.next (<anonymous>)
      at fulfilled (node_modules/casbin/lib/managementEnforcer.js:17:58)

I'm attempting to figure out how to discover if a user has the ability to perform a specific action on an object in any of my domains. Here's basically what I'm working with:

config

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.obj == p.obj && r.act == p.act

policies

p, admin, tenant1, data1, read
p, admin, tenant1, data1, write
p, admin, tenant1, data2, read
p, admin, tenant1, data2, write
p, user, tenant1, data1, read
p, user, tenant1, data2, read

p, admin, tenant2, data1, read
p, admin, tenant2, data1, write
p, admin, tenant2, data2, read
p, admin, tenant2, data2, write
p, user, tenant2, data1, read
p, user, tenant2, data2, read

g, alice, admin, tenant1
g, bob, user, tenant2

I want to check if Alice has the write action on data1 for any domain. What is the best way to do this?

I can do an enforce and supply a domain to check if the user has data1 write access, but I can't do it for all domains at once.

I have attempted to add a custom domain matching function using the following code, but the wildCardDomainMatch doesn't seem to ever be called.

initialization

    this._permissionEnforcer = await newEnforcer(this._model, this._adapter);
    const rm = new DefaultRoleManager(10);
    await rm.addDomainMatchingFunc(this.wildCardDomainMatch);
    await this._permissionEnforcer.setRoleManager(rm);
    await this._permissionEnforcer.loadPolicy();

Domain Match Function

private wildCardDomainMatch = (requestDomain: string, policyDomain: string): boolean => {
  if (requestDomain === "*") {
      return true;
  }

  return requestDomain === policyDomain;
};

im new to casbin and recently using it with nodejs and came across this probably frequent need to use both grouping and keyMatching on a policy , wraping a keyMatch func with g identifier or viseversa doesnt seem to be valid syntax for serving those policies containing resource with pattern

Previously the casbinJsGetPermissionForUser function would not include the grouping policy in the generated result, I have now added this missing part.

This is the doc: https://casbin.io/docs/priority-model#load-policy-with-priority-based-on-role-and-user-hierarchy Then I place the demo code to the online editor: https://casbin.org/casbin-editor/#53YFYAD7M When I click RUN THE TEST button, it throw unsupported effect!

@nodece has suggested to add a flag for getting a not-implemented error from the adapter.

I have a suggestion, add a flag for receiving all errors, meas if true we will throw errors even if it's a not-implemented error.

need a discussion on this.

Originally posted by @nodece in https://github.com/casbin/node-casbin/pull/384#discussion_r967673880

I have problem when using node-casbin with react

import { newModel, Enforcer, newEnforcer } from 'casbin'
import { AuthActionVerb, AuthPossession, CustomAuthActionVerb } from 'constants/enum/auth'
import { ExecutionContext } from 'graphql/execution/execute'

import storage from './storage'

export type Permission = {
  resource: string
  action: AuthActionVerb | CustomAuthActionVerb
  possession?: AuthPossession
}

export const loadModel = () => {
  // rbac model
  const model = `
	[request_definition]
	r = sub, obj, act

	[policy_definition]
	p = sub, obj, act

	[role_definition]
	g = _, _

	[policy_effect]
	e = some(where (p.eft == allow))

	[matchers]
	m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act`

  const m = newModel()
  m.loadModelFromText(model)
  return m
}

export const loadPermissions = async (enforcer: Enforcer) => {
  const permissions = storage.getPermissions()
  await Promise.all([
    ...permissions.map((permission: any) => {
      return enforcer.addPolicy(permission[0], permission[1], permission[2])
    }),
  ])
}

export const initEnforcer = async (): Promise<Enforcer | null> => {
  const m = loadModel()

  const enforcer = await newEnforcer(m)

  await loadPermissions(enforcer)

  return enforcer
}

Want to prioritize this issue? Try:

What's your scenario? What do you want to achieve?

I want to find a better way to implement this setup, as performance is really really bad as is.

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && r.act == p.act

Your policy:

p | ["program-manager-438", "/program/438", "delete"]
p | ["program-manager-438", "/program/438", "read_mappings"]
p | ["program-manager-438", "/audit/438/:auditId", "create"]
p | ["program-manager-438", "/audit/438/:auditId", "delete_attachment"]
p | ["program-manager-438", "/audit/438/:auditId", "Treatment.Completed"]
p | ["program-manager-438", "/audit/438/:auditId", "Archived.Completed"]
p | ["program-manager-438", "/vendor/438/:vendorId", "upload_attachment"]
p | ["program-manager-438", "/requirement/438/:frameworkOrAuditId/:requirementId", "download_attachment"]
p | ["program-manager-438", "/requirement/438/:frameworkOrAuditId/:requirementId", "Draft.In-scope"]
p | ["program-manager-438", "/assessment/438/:auditId/:assessmentId", "delete_mappings"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "read"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "read_mappings"]
p | ["program-manager-438", "/evidence-request/438/:auditId/:assessmentId/:evidenceRequestId", "Archived.Draft"]
p | ["program-manager-438", "/finding/438/:auditId/:assessmentId/:findingId", "delete"]

g | john, program-manager-438

Your request(s):

john, finding/438/33/44/3, read ---> true

Essentially the goal is to have roles that have wildcard rules like this. But also roles that are more specific that use exact ids instead. This works with the implementation above, but has atrocious performance.

Currently, if you have around 40000 rules, this takes ~500ms to check 10 permissions, and ~1000ms to check 20 permissions...that makes me think that the enforcer is checking them synchronously?

FYI: My setup is nodejs with postgres adapter.