search

php-casbin / laravel-authz

An authorization library that supports access control models like ACL, RBAC, ABAC in Laravel.
Apache License 2.0
272 stars 46 forks source link

understanding roles #62

Closed mvalitov closed 8 months ago

mvalitov commented 8 months ago 
> use Enforcer;
> Enforcer::addPermissionForUser('eve', 'articles', 'read');
= true

> Enforcer::addRoleForUser('eve', 'writer');
= true

> Enforcer::addPolicy('writer', 'articles','edit');
= true

> Enforcer::enforce("eve", "articles", "edit")

   ValueError  array_combine(): Argument #1 ($keys) and argument #2 ($values) must have the same number of elements.

> Enforcer::getRolesForUser('eve');
= [
    "writer",
  ]

> Enforcer::hasPermissionForUser('eve', 'articles', 'read');
= true

> Enforcer::hasPermissionForUser('eve', 'articles', 'edit');
= false

Am I using Enforcer::enforce function incorrectly? and why does user eve not have access to 'edit articles', if she has a role 'writer', and role 'writer' have permission 'edit articles'?

"php": "^8.2",
"casbin/laravel-authz": "^3.1",
"laravel/framework": "^10.0"
hsluoyz commented 8 months ago

@mvalitov test on the online editor first: https://casbin.org/editor/

mvalitov commented 8 months ago
image
leeqvip commented 8 months ago 
Psy Shell v0.11.12 (PHP 8.2.3 — cli) by Justin Hileman
> use Enforcer;
> Enforcer::addPermissionForUser('eve', 'articles', 'read');
= true

> Enforcer::addRoleForUser('eve', 'writer');
= true

> Enforcer::addPolicy('writer', 'articles','edit');
= true

> Enforcer::enforce("eve", "articles", "edit");
= true

> Enforcer::getRolesForUser('eve');
= [
    "writer",
  ]

> Enforcer::hasPermissionForUser('eve', 'articles', 'read');
= true

> Enforcer::hasPermissionForUser('eve', 'articles', 'edit');
= false

> Enforcer::getPolicy();
= [
    [
      "eve",
      "articles",
      "read",
    ],
    [
      "writer",
      "articles",
      "edit",
    ],
  ]

@mvalitov Did you install it correctly? And executed the publish command to publish the model configuration file? Here are the results of my run. In addition, hasPermissionForUser only obtains direct permissions and does not include indirect permissions.

mvalitov commented 8 months ago

I add in my config/app.php Lauthz\LauthzServiceProvider::class, to providers, 'Enforcer' => Lauthz\Facades\Enforcer::class, to aliases config/lauthz.php and config/lauthz-rbac-model.php are default:

<?php

return [
    /*
     *Default Lauthz driver
     */
    'default' => 'basic',

    'basic' => [
        /*
        * Casbin model setting.
        */
        'model' => [
            // Available Settings: "file", "text"
            'config_type' => 'file',

            'config_file_path' => __DIR__ . DIRECTORY_SEPARATOR . 'lauthz-rbac-model.conf',

            'config_text' => '',
        ],

        /*
        * Casbin adapter .
        */
        'adapter' => Lauthz\Adapters\DatabaseAdapter::class,

        /*
        * Database setting.
        */
        'database' => [
            // Database connection for following tables.
            'connection' => '',

            // Rule table name.
            'rules_table' => 'rules',
        ],

        'log' => [
            // changes whether Lauthz will log messages to the Logger.
            'enabled' => false,

            // Casbin Logger, Supported: \Psr\Log\LoggerInterface|string
            'logger' => 'log',
        ],

        'cache' => [
            // changes whether Lauthz will cache the rules.
            'enabled' => false,

            // cache store
            'store' => 'default',

            // cache Key
            'key' => 'rules',

            // ttl \DateTimeInterface|\DateInterval|int|null
            'ttl' => 24 * 60,
        ],
    ],
];
[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act

migration:

<?php

use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;

class CreateRulesTable extends Migration
{
    /**
     * Run the migrations.
     */
    public function up()
    {
        $connection = config('lauthz.basic.database.connection') ?: config('database.default');
        Schema::connection($connection)->create(config('lauthz.basic.database.rules_table'), function (Blueprint $table) {
            $table->increments('id');
            $table->string('ptype')->nullable();
            $table->string('v0')->nullable();
            $table->string('v1')->nullable();
            $table->string('v2')->nullable();
            $table->string('v3')->nullable();
            $table->string('v4')->nullable();
            $table->string('v5')->nullable();
            $table->timestamps();
        });
    }

    /**
     * Reverse the migrations.
     */
    public function down()
    {
        $connection = config('lauthz.basic.database.connection') ?: config('database.default');
        Schema::connection($connection)->dropIfExists(config('lauthz.basic.database.rules_table'));
    }
}
mvalitov commented 8 months ago

in rules table:

image
mvalitov commented 8 months ago

In addition, hasPermissionForUser only obtains direct permissions and does not include indirect permissions.

So, to check access, you need to check the permissions of each role of this user?

leeqvip commented 8 months ago

Check permissions to use:

Enforcer::enforce("eve", "articles", "edit")
leeqvip commented 8 months ago

in rules table: image

Is there data in the rules table that is not the model, causing the number of parameter fields to be inconsistent with the model definition?

mvalitov commented 8 months ago

in rules table: image

Is there data in the rules table that is not the model, causing the number of parameter fields to be inconsistent with the model definition?

yes, there seems to be a problem with some row in the table. I deleted all entries and now there is no error