[Question] Result with same model , policy and request is not the same on editor casbin page

Question

[Question] Result with same model , policy and request is not the same on editor casbin page

longle2 opened this issue 4 years ago · comments

I tested this model policy and request below, expected result must be

true
true
false
true
true
true
true

but it only on ABAC example page, if I switched to other example and paste same config, result will be

true
true
false
true
true
true
false

the different is last request, It true on ABAC example page and false on other example page, any reason why this happen or I missconfig something?
link to result image

Tks !!!

What's your scenario? What do you want to achieve?
Is my config correct or this is editor page problem ?

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m =( r.sub == r.obj.Owner ) ||  g(r.sub, p.sub) && (g2(r.obj, p.obj) && r.act == p.act || keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act))

Your policy:

p, alice, data1, read
p, bob, data2, write
p, data_group_admin, data_group, write


p, data_group_admin, /alice_data/:resource, GET
p, data_group_admin, /alice_data2/:id/using/:resId, GET

g, alice, data_group_admin
g2, data1, data_group
g2, data2, data_group

Your request(s):

alice, data1, read
alice, data1, write
alice, data2, read
alice, data2, write 
alice, /alice_data/hello, GET
alice, /alice_data2/23/using/32, GET
alice, { Owner: 'alice'}, GET

Zixuan Liu · Answer 1 · Tue Nov 17 2020 17:17:31 GMT+0800 (China Standard Time)

@dragonborngem To note is that your must to use ABAC model if your request has ABAC data. We need to convert the { Owner: 'alice'} string to object.

Yang Luo · Answer 2 · Tue Nov 17 2020 17:21:35 GMT+0800 (China Standard Time)

@nodece here's an implicit requirement that the user has to choose the "ABAC" option from the drop-down list to actually "enable" the possibility of using ABAC. I think this is not good or consistent with how Casbin code runs actually. It confuses our users.

How Casbin editor enforces the policy shouldn't rely on the chosen option in the UI. Can we fix it?

Zixuan Liu · Answer 3 · Tue Nov 17 2020 17:26:00 GMT+0800 (China Standard Time)

@hsluoyz I should add a checkbox for enable ABAC feature in request container. What do you think?

longle2 · Answer 4 · Tue Nov 17 2020 17:31:33 GMT+0800 (China Standard Time)

@dragonborngem To note is that your must to use ABAC model if your request has ABAC data. We need to convert the { Owner: 'alice'} string to object.

Oh I got it, but I think there must be some note because newbie to casbin like me will be really confusing about this. Tks !

Yang Luo · Answer 5 · Tue Nov 17 2020 17:33:05 GMT+0800 (China Standard Time)

@nodece Why can't we do it silently and automatically? E.g., if a policy element starts with "{" and ends with "}", then we know it's a ABAC struct and automatically convert to an object.

Zixuan Liu · Answer 6 · Tue Nov 17 2020 18:45:51 GMT+0800 (China Standard Time)

@hsluoyz good idea. I will make a PR for this feature later.

Yang Luo · Answer 7 · Tue Nov 17 2020 20:17:28 GMT+0800 (China Standard Time)

@nodece thanks!

Yang Luo · Answer 8 · Sat Dec 19 2020 18:04:09 GMT+0800 (China Standard Time)

@dragonborngem fixed in: d93bc85