search

casbin / casbin.js

An authorization library that supports access control models like ACL, RBAC, ABAC in Frontend Javascript
https://casbin.org/docs/en/frontend
Apache License 2.0
160 stars 37 forks source link

can() returns an incorrect value #210

Closed JanakaSandaruwan closed 3 years ago

JanakaSandaruwan commented 3 years ago

I am using basic_model.conf and basic_policy.csv as follows.

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
p, alice, data1, read
p, bob, data2, write

Backend service is defined as follows.

app.get('/api/casbin', async (req, res) => {
        // Get the user identity from URL.
        const user = String(req.query["casbin_subject"]);
        console.log(user)
        const enforcer = await newEnforcer('/path/to/basic_model.conf', '/path/to/basic_policy.csv');
        const ne = await casbinJsGetPermissionForUser(enforcer,user)
        // Return the response to the client-side.
        await res.status(200).json({
            message: 'ok',
            data: ne
        })
    })

In my react application, I uses 

    async componentDidMount () {
      const authorizer = new casbinjs.Authorizer('auto', {endpoint: 'http://localhost:3000/api/casbin'});
      await authorizer.setUser("alice");
      let me = await authorizer.can("read", "data1")
      console.log(me) // this gives false which is incorrect
  }

For user alice can read data1 according to the model. However, authorizer.can("read", "data1") returns false which is incorrect.

casbin-bot commented 3 years ago

@nodece @Zxilly @Gabriel-403

JanakaSandaruwan commented 3 years ago

This is resolved after upgrading the package version