This is the model.conf I'm using:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
g2 = _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && regexMatch(r.act, p.act)
This is the relevant policy (The users can read their own posts, and admins can read all posts.):
p, admin, /posts/:id/attachments, GET, allow
p, alice, /posts/1/attachments, GET, allow
g, bob, admin
g2, /files/1.jpg, /posts/1/attachments
The result of these requests are expected to be true:
alice, /files/1.jpg, GET
bob, /files/1.jpg, GET
Currently, I can make the policy work by adding the rule g, /posts/1/attachments, /posts/:id/attachments, but I want to know whether it's possible to match these role names by pattern, so that I wouldn't have to create a rule for every post.
(The closest example I found is the AddNamedMatchingFunc("g","KeyMatch2",util.KeyMatch2) method, and I tried to use it on g2, but it seems that it only matches the pattern on r.obj and the roles.)
The 2nd arg of g is not supported to be pattern. But here's a workaround to use multiple g to have the same effect:
g, pattern1, role1
g, role1, pattern2
is the same as:
g, pattern1, pattern2