0

I'm trying to implement Casbin authentication so that a user can only get their own username, but apply this to a group. Example:

/users/get/alice can be called by user with username alice

/users/get/john50 can be called by user with username john50

alice and john50 can't call the other's endpoint.

However, I want to be able to apply this to all users within a group, so ideally I'd want my policy to look like:

p, staff-all, /users/get/:userid, GET, allow

Is this something I can implement in the policy and model or would I need to implement something in code? This sounds like a more complicated use case than having in the policy and model.

My current model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)

I have seen something similar in the Casbin examples but these seem to give a specific username rather than done via groups

Josh Laird
  • 6,974
  • 7
  • 38
  • 69

1 Answers1

1

See the keyGet() functions here: https://casbin.org/docs/en/function

The matcher will be something like:

m = (r.sub == keyGet(r.obj, p.obj)) && <other_part>
hsluoyz
  • 2,739
  • 5
  • 35
  • 59
  • I'm getting a `Function not found: keyGet` error and I can't see `keyGet` in [here](https://github.com/casbin/jcasbin/blob/master/src/main/java/org/casbin/jcasbin/util/BuiltInFunctions.java). Is keyGet not supported in jCasbin? – Josh Laird Feb 04 '21 at 17:18
  • It might also be worth mentioning that we are using RBAC, but we want to be able to ensure that a user who is not part of an admin group can only access their own jobs – Josh Laird Feb 04 '21 at 18:03
  • 1
    @JoshLaird keyGet() is currently only available in Golang, please send a github issue in jCasbin repo to request this feature in Java, we will help you there. – hsluoyz Feb 05 '21 at 12:11
  • @JoshLaird added here: https://github.com/casbin/jcasbin/issues/132 – hsluoyz Feb 10 '21 at 05:47
  • Thanks so much! I'll give this a go – Josh Laird Feb 11 '21 at 09:09