I'm trying to implement Casbin authentication so that a user can only get their own username, but apply this to a group. Example:
/users/get/alice can be called by user with username alice
/users/get/john50 can be called by user with username john50
alice and john50 can't call the other's endpoint.
However, I want to be able to apply this to all users within a group, so ideally I'd want my policy to look like:
p, staff-all, /users/get/:userid, GET, allow
Is this something I can implement in the policy and model or would I need to implement something in code? This sounds like a more complicated use case than having in the policy and model.
My current model:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)
I have seen something similar in the Casbin examples but these seem to give a specific username rather than done via groups
See the keyGet() functions here: https://casbin.org/docs/en/function
The matcher will be something like:
m = (r.sub == keyGet(r.obj, p.obj)) && <other_part>