Authorization Model: Where did Casbin go?
L-U-C-K-Y opened this issue · comments
Hi all
Found this project and was reading through the readme and repo.
I noticed that the readme says that Casbin is used for authorization, but I cannot find any reference in the code.
Has it been removed again?
If yes, could I ask for the reasoning behind it, have you found a more suitable option?
Thanks!
@L-U-C-K-Y I think it has gone after this V3 PR: #1475
Thanks for opening this issue, @L-U-C-K-Y! Yes, until v3, we were using Casbin to manage permission, but now we're doing everything using scopes in v4. I find this much simpler because scope can have wildcards and you can have as many or as little associated with a user or API key.
For example, if a user (with user ID 10, for example) has the scope user-10:delete
, this user can delete itself. If you're an admin, you might have the scope user-*:delete
, meaning that you can delete all users, or user-*:*
, meaning that you can do anything to users, or even *
.
The default scope are available at https://github.com/staart/api/blob/v4.0.2/src/helpers/scopes.ts.
Thanks @AnandChowdhary for elaborating!
For example, if a user (with user ID 10, for example) has the scope user-10:delete, this user can delete itself. If you're an admin, you might have the scope user-:delete, meaning that you can delete all users, or user-:*, meaning that you can do anything to users, or even *.
I think the wildcards can also be supported by Casbin via the keyMatch()
and regexMatch()
functions: https://casbin.org/docs/en/function#functions-in-matchers