Closed hsluoyz closed 6 years ago
Hi, thanks for your interest in Hexya. I had a look at Casbin and it seems like a pretty good lib.
However, I'm not sure that this is really needed for Hexya. Hexya is framework for writing business applications with a focus on quick development. This is largely inspired from Odoo. Unlike frameworks like ruby-on-rails or buffalo we impose many things in the framework to the business developers that will use it, from the way to define and override models to the way objects are rendered client side.
The same applies for security where the concept is imposed to keep the resulting application consistent (we aim at building complex ERP with this framework). This security concept is centered around the models (because that's where the sensitive data of a business live), with method execution and field access limited to defined group lists. And the ability to define rules to filter allowed data from within the same model.
So I'm not sure how would a library like Casbin fit in this concept since we do not intend to give more options to our developers than what is described above (and in the doc/security.adoc file).
Nevertheless, if you think the contrary, do not hesitate to make a PR with a proposal.
Hi @npiganeau ,
I have seen: https://github.com/hexya-erp/hexya/blob/master/doc/security.adoc, and found that there're lots of things overlapping with what Casbin can do. For example:
Permissions are granted or denied to groups
Besides allow and deny, Casbin also supports allow-override and deny-override.
security.AdminGroup are allowed to execute a method.
Casbin supports root role and root user too.
All = Read | Write | Unlink
Permissions like read, write, unlink, all. In Casbin, you can define * as all, and (read)|(write) for read and write. It supports regex.
Groups can inherit from other groups and get access to these groups permissions.
Casbin supports nested roles without level limitation too.
security.GroupEveryone
Casbin can use * to represent everyone.
Global rules and group rules (rules restricted to specific groups versus groups applying to all users) are used quite differently:
Casbin supports allow-override, deny-override, at-least-one-allow-and-no-deny, first-rule-apply. It covers the current subtractive and additive integration modes.
So I think the code in models/security
can be mostly refactored to Casbin model and rules. So it can be easily changed later. Since hexya may not update the security model in short terms nor provided to users, I think it can be regarded as code refactoring work, and hexya developers are freed from the authorization related coding and maintaining work so they can focus on the main objective of ERP modeling:)
Hi, Casbin is an authorization library that supports models like ACL, RBAC, ABAC.
Related to RBAC, Casbin has several advantages:
And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible.
Casbin can provide more flexibility and security than the current ACL. I can make PR if needed. Let me know if there's any question:) Thanks.