Closed vasanth123 closed 9 months ago
@nodece @Shivansh-yadav13
app.get('/api/casbin', async (req, res) => { res.setHeader('Access-Control-Allow-Origin', '*'); try { const subject = req.query.subject; var e =await newEnforcer('model.conf', 'rbac_policy.csv'); //var e =new Enforcer(); //e.initWithFile('model.conf', 'rbac_policy.csv'); var permissions = await casbinJsGetPermissionForUser(e, subject);
// res.setHeader('Access-Control-Allow-Origin', '*'); res.send({data:permissions}); } catch (error) { console.log("getPermissionsByRoleId:", error); res.status(400).json(error.message); } });
const authorizer = new Authorizer(
"auto", // mode
{
endpoint: http://localhost:3001/api/casbin
,
requestHeaders: {
method: ["GET"],
}
}
);
// Set your visitor. // Casbin.js will automatically sync the permission with your backend Casbin service. authorizer.setUser("74");
// Evaluate the permission const result = await authorizer.can("read", "/dashboard/*"); console.log("result", result);
casbinJsGetPermissionForUser return all user policy instead of current user
@vasanth123 what's your question?
@hsluoyz While creating this issue. I have face Enforcer not initialized issue in frontend react app.
Issue is fixed after place my Api call in componentWillMount() but backend service i.e casbinJsGetPermissionForUser is return all user policy info instead of given user info.
I have paste my policy.csv for your reference
p, , /, GET p, admin, /, GET p, admin, /rest, GET p, admin, /test, POST p, vasanth, /test12, GET p, vasanth, /test12, POST
in frontend, authorizer.setUser('vasanth'); Api call is trigger once setup the user info but backend service return whole policy including admin data instead of vasanth info.
@vasanth123
but backend service i.e casbinJsGetPermissionForUser is return all user policy info instead of given user info.
This is expected, see: https://casbin.org/docs/frontend#advanced-usage
For safe purpose, Casbin needs all policy information to do enforcement. If your case is supportive, you can tailer the output of casbinJsGetPermissionForUser() to save some bandwidth.
@hsluoyz In above link, "Why casbin.js" section mention as "We also avoid storing all the policies at the frontend. The user can only access their own permission, but has no knowledge about the access-control model and other users' permissions.". I have attached screenshot below for reference
But currently, Its storing all the policies in the local storage in frontend. Please correct me if i am missing something
@hsluoyz Any update on this? Please let me know if my understanding is correct.
@vasanth123 yes, currently it's storing all Casbin model and policy, like backend Casbin
@hsluoyz In above link, "Why casbin.js" section mention as "We also avoid storing all the policies at the frontend. The user can only access their own permission, but has no knowledge about the access-control model and other users' permissions.". I have attached screenshot below for reference
But currently, Its storing all the policies in the local storage in frontend. Please correct me if i am missing something
I also had this problem, and as you wrote the problem was in order of request.
When you calling method can of authorizer class, it alwas enforces your request in own order:
enforcer.enforce(this.user, domain, object, action)
And if you have own request order, authorizer.can will throws error.
So I created own library that solves this problem, you can write your request in order which you want. https://github.com/Dias1c/casbin-js/tree/main
@vasanth123 can you make a PR?
pls provide the solution here
Originally posted by @vasanth123 in https://github.com/casbin/casbin.js/issues/273#issuecomment-1736543097