Closed mvalitov closed 8 months ago
@mvalitov test on the online editor first: https://casbin.org/editor/
Psy Shell v0.11.12 (PHP 8.2.3 — cli) by Justin Hileman
> use Enforcer;
> Enforcer::addPermissionForUser('eve', 'articles', 'read');
= true
> Enforcer::addRoleForUser('eve', 'writer');
= true
> Enforcer::addPolicy('writer', 'articles','edit');
= true
> Enforcer::enforce("eve", "articles", "edit");
= true
> Enforcer::getRolesForUser('eve');
= [
"writer",
]
> Enforcer::hasPermissionForUser('eve', 'articles', 'read');
= true
> Enforcer::hasPermissionForUser('eve', 'articles', 'edit');
= false
> Enforcer::getPolicy();
= [
[
"eve",
"articles",
"read",
],
[
"writer",
"articles",
"edit",
],
]
@mvalitov Did you install it correctly? And executed the publish command to publish the model configuration file? Here are the results of my run. In addition, hasPermissionForUser
only obtains direct permissions and does not include indirect permissions.
I add in my config/app.php
Lauthz\LauthzServiceProvider::class,
to providers,
'Enforcer' => Lauthz\Facades\Enforcer::class,
to aliases
config/lauthz.php and config/lauthz-rbac-model.php are default:
<?php
return [
/*
*Default Lauthz driver
*/
'default' => 'basic',
'basic' => [
/*
* Casbin model setting.
*/
'model' => [
// Available Settings: "file", "text"
'config_type' => 'file',
'config_file_path' => __DIR__ . DIRECTORY_SEPARATOR . 'lauthz-rbac-model.conf',
'config_text' => '',
],
/*
* Casbin adapter .
*/
'adapter' => Lauthz\Adapters\DatabaseAdapter::class,
/*
* Database setting.
*/
'database' => [
// Database connection for following tables.
'connection' => '',
// Rule table name.
'rules_table' => 'rules',
],
'log' => [
// changes whether Lauthz will log messages to the Logger.
'enabled' => false,
// Casbin Logger, Supported: \Psr\Log\LoggerInterface|string
'logger' => 'log',
],
'cache' => [
// changes whether Lauthz will cache the rules.
'enabled' => false,
// cache store
'store' => 'default',
// cache Key
'key' => 'rules',
// ttl \DateTimeInterface|\DateInterval|int|null
'ttl' => 24 * 60,
],
],
];
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
migration:
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
class CreateRulesTable extends Migration
{
/**
* Run the migrations.
*/
public function up()
{
$connection = config('lauthz.basic.database.connection') ?: config('database.default');
Schema::connection($connection)->create(config('lauthz.basic.database.rules_table'), function (Blueprint $table) {
$table->increments('id');
$table->string('ptype')->nullable();
$table->string('v0')->nullable();
$table->string('v1')->nullable();
$table->string('v2')->nullable();
$table->string('v3')->nullable();
$table->string('v4')->nullable();
$table->string('v5')->nullable();
$table->timestamps();
});
}
/**
* Reverse the migrations.
*/
public function down()
{
$connection = config('lauthz.basic.database.connection') ?: config('database.default');
Schema::connection($connection)->dropIfExists(config('lauthz.basic.database.rules_table'));
}
}
in rules table:
In addition,
hasPermissionForUser
only obtains direct permissions and does not include indirect permissions.
So, to check access, you need to check the permissions of each role of this user?
Check permissions to use:
Enforcer::enforce("eve", "articles", "edit")
in rules table:
Is there data in the rules table that is not the model, causing the number of parameter fields to be inconsistent with the model definition?
in rules table:
Is there data in the rules table that is not the model, causing the number of parameter fields to be inconsistent with the model definition?
yes, there seems to be a problem with some row in the table. I deleted all entries and now there is no error
Am I using
Enforcer::enforce
function incorrectly? and why does user eve not have access to 'edit articles', if she has a role 'writer', and role 'writer' have permission 'edit articles'?