Giters

casbin / pycasbin

An authorization library that supports access control models like ACL, RBAC, ABAC in Python

Home Page:https://casbin.org

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG]: KeyError: 'g' when build_role_links

zhou93 opened this issue ยท comments

commented

Below is my role definition

[role_definition]
g = _, _, (_, _)
g2 = _, _

From the code, we can see that when params_tokens is greater than 0, it will be added to cond_rm_map:

if len(assertion.tokens) <= 2 and len(assertion.params_tokens) != 0:
    assertion.cond_rm = default_role_manager.ConditionalRoleManager(10)
    self.cond_rm_map[ptype] = assertion.cond_rm

In the build_role_links function, there is no check if the map contains the required key, which can cause an error:

def build_role_links(self, rm_map):
    """initializes the roles in RBAC."""

    if "g" not in self.keys():
        return

    for ptype, ast in self["g"].items():
        rm = rm_map[ptype]
        ast.build_role_links(rm)

In the build_conditional_role_links function, the check is correctly implemented:

def build_conditional_role_links(self, cond_rm_map):
    if "g" not in self.keys():
        return
    self.print_policy()
    for ptype, ast in self["g"].items():
        cond_rm = cond_rm_map.get(ptype)
        if cond_rm:
            ast.build_conditional_role_links(cond_rm)
commented

๐ŸŽ‰ This issue has been resolved in version 1.36.3 ๐ŸŽ‰

The release is available on:

Your semantic-release bot ๐Ÿ“ฆ๐Ÿš€

commented

Error When Calling get_implicit_permissions_for_user

In the above scenario, calling the function get_implicit_permissions_for_user results in an error.

From the code, we can see:

def get_named_implicit_permissions_for_user(self, ptype, user, domain="", filter_policy_dom=True):
    """
    gets implicit permissions for a user or role by named policy.
    Compared to get_permissions_for_user(), this function retrieves permissions for inherited roles.
    For example:
    p, admin, data1, read
    p, alice, data2, read
    g, alice, admin

    get_permissions_for_user("alice") can only get: [["alice", "data2", "read"]].
    But get_implicit_permissions_for_user("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].

    For given domain policies are filtered by corresponding domain matching function of DomainManager
    Inherited roles can be matched by domain. For domain neutral policies set:
        filter_policy_dom = False

    filter_policy_dom: bool - For given *domain*, policies will be filtered by domain as well. Default = True
    """
    roles = self.get_implicit_roles_for_user(user, domain)

    roles.insert(0, user)

    res = []

    # policy domain should be matched by domain_match_fn of DomainManager
    domain_matching_func = self.get_role_manager().domain_matching_func
    if domain and domain_matching_func != None:
        domain = partial(domain_matching_func, domain)

    for role in roles:
        permissions = self.get_named_permissions_for_user_in_domain(
            ptype, role, domain if filter_policy_dom else ""
        )
        res.extend(permissions)

    return res

This function calls get_role_manager, which is defined as follows:

def get_role_manager(self):
    """gets the current role manager."""
    return self.rm_map["g"]

At this point, rm_map does not contain g, because g is in cond_rm_map.