search

casbin / casbin-rs

An authorization library that supports access control models like ACL, RBAC, ABAC in Rust.
https://casbin.org
Apache License 2.0
828 stars 67 forks source link

Deny does not work when using with diesel adapter #332

Closed Ameliabqy closed 2 months ago

Ameliabqy commented 2 months ago

I am using diesel adapter. I can confirm that the matcher works but the deny does not take effect. I have tried everything I could but I'm starting to think casbin is not reading the deny value correctly when used with diesel adapter.

Below is my policy and model. I am trying to get policy 3 to work. Took out p and p2 for simplicity

... p3 | role:agent1_group | c6de62b8-013e-4e4a-aec1-bb9d48e46c97 | 6dda0379-61a3-46e4-8b95-7a54982c60bd | | deny |   p3 | ee13f1d5-2705-4dae-a7c9-45ab27bbf830 | c6de62b8-013e-4e4a-aec1-bb9d48e46c97 | 6dda0379-61a3-46e4-8b95-7a54982c60bd | | deny g | ee13f1d5-2705-4dae-a7c9-45ab27bbf830 | role:agent1_group | c6de62b8-013e-4e4a-aec1-bb9d48e46c97

[request_definition]
r3 = user, agent, act

[policy_definition]
p3 = sub, org, agent, act, eft

[role_definition]
g = _, _, _

[policy_effect]
e3 = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m3 = g(r3.user.user_id, p3.sub, r3.user.org_id) && r3.user.org_id == p3.org && r3.agent == p3.agent && (r3.act == p3.act || p3.act == "*")
Ameliabqy commented 2 months ago

I unblocked myself by moving p3 to a separate model with diesel adapter and keeping the rest with csv policy. I think the issue might have been with enforce with context. Did not figure this out, but for now I am unblocked