Class: Casbin::Enforcer

Inherits:

ManagementEnforcer

• Object
• CoreEnforcer
• InternalEnforcer
• ManagementEnforcer
• Casbin::Enforcer

Defined in:

lib/casbin-ruby/enforcer.rb

Overview

Enforcer = ManagementEnforcer + RBAC_API + RBAC_WITH_DOMAIN_API

creates an enforcer via file or DB.

File:
  e = casbin.Enforcer("path/to/basic_model.conf", "path/to/basic_policy.csv")
MySQL DB:
  a = mysqladapter.DBAdapter("mysql", "mysql_username:mysql_password@tcp(127.0.0.1:3306)/")
  e = casbin.Enforcer("path/to/basic_model.conf", a)

Direct Known Subclasses

SyncedEnforcer

Instance Attribute Summary

Attributes inherited from CoreEnforcer

#adapter, #auto_build_role_links, #auto_save, #effector, #enabled, #model, #rm_map, #watcher

Instance Method Summary

• #add_permission_for_user(user, *permission) ⇒ Object

  adds a permission for a user or role.

• #add_role_for_user(user, role) ⇒ Object

  adds a role for a user.

• #add_role_for_user_in_domain(user, role, domain) ⇒ Object

  adds a role for a user inside a domain.

• #delete_permission(*permission) ⇒ Object

  deletes a permission.

• #delete_permission_for_user(user, *permission) ⇒ Object

  deletes a permission for a user or role.

• #delete_permissions_for_user(user) ⇒ Object

  deletes permissions for a user or role.

• #delete_role(role) ⇒ Object

  deletes a role.

• #delete_role_for_user(user, role) ⇒ Object

  deletes a role for a user.

• #delete_roles_for_user(user) ⇒ Object

  deletes all roles for a user.

• #delete_roles_for_user_in_domain(user, role, domain) ⇒ Object

  deletes a role for a user inside a domain.

• #delete_user(user) ⇒ Object

  deletes a user.

• #get_implicit_permissions_for_user(user, domain = nil) ⇒ Object

  gets implicit permissions for a user or role.

• #get_implicit_roles_for_user(name, domain = nil) ⇒ Object

  gets implicit roles that a user has.

• #get_implicit_users_for_permission(*permission) ⇒ Object

  gets implicit users for a permission.

• #get_permissions_for_user(user) ⇒ Object

  gets permissions for a user or role.

• #get_permissions_for_user_in_domain(user, domain) ⇒ Object

  gets permissions for a user or role inside domain.

• #get_roles_for_user(name) ⇒ Object

  gets the roles that a user has.

• #get_roles_for_user_in_domain(name, domain) ⇒ Object

  gets the roles that a user has inside a domain.

• #get_users_for_role(name) ⇒ Object

  gets the users that has a role.

• #get_users_for_role_in_domain(name, domain) ⇒ Object

  gets the users that has a role inside a domain.

• #has_permission_for_user(user, *permission) ⇒ Object

  determines whether a user has a permission.

• #has_role_for_user(name, role) ⇒ Object

  determines whether a user has a role.

Methods inherited from ManagementEnforcer

#add_function, #add_grouping_policies, #add_grouping_policy, #add_named_grouping_policies, #add_named_grouping_policy, #add_named_policies, #add_named_policy, #add_policies, #add_policy, #get_all_actions, #get_all_named_actions, #get_all_named_objects, #get_all_named_roles, #get_all_named_subjects, #get_all_objects, #get_all_roles, #get_all_subjects, #get_filtered_grouping_policy, #get_filtered_named_grouping_policy, #get_filtered_named_policy, #get_filtered_policy, #get_grouping_policy, #get_named_grouping_policy, #get_named_policy, #get_policy, #has_grouping_policy, #has_named_grouping_policy, #has_named_policy, #has_policy, #parent_add_policies, #parent_add_policy, #parent_remove_filtered_policy, #parent_remove_policies, #parent_remove_policy, #parent_update_policies, #parent_update_policy, #remove_filtered_grouping_policy, #remove_filtered_named_grouping_policy, #remove_filtered_named_policy, #remove_filtered_policy, #remove_grouping_policies, #remove_grouping_policy, #remove_named_grouping_policies, #remove_named_grouping_policy, #remove_named_policies, #remove_named_policy, #remove_policies, #remove_policy, #update_named_policies, #update_named_policy, #update_policies, #update_policy

Methods inherited from CoreEnforcer

#add_named_domain_matching_func, #add_named_matching_func, #build_role_links, #clear_policy, #enable_auto_build_role_links, #enable_auto_save, #enable_enforce, #enforce, #enforce_ex, #filtered?, #init_with_adapter, #init_with_file, #init_with_model_and_adapter, #initialize, #load_filtered_policy, #load_increment_filtered_policy, #load_model, #load_policy, #new_model, new_model, #role_manager, #role_manager=, #save_policy

Constructor Details

This class inherits a constructor from Casbin::CoreEnforcer

Instance Method Details

#add_permission_for_user(user, *permission) ⇒ Object

adds a permission for a user or role. Returns false if the user or role already has the permission (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 74

def add_permission_for_user(user, *permission)
  add_policy(Util.join_slice(user, *permission))
end

#add_role_for_user(user, role) ⇒ Object

adds a role for a user. Returns false if the user already has the role (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 34

def add_role_for_user(user, role)
  add_grouping_policy(user, role)
end

#add_role_for_user_in_domain(user, role, domain) ⇒ Object

adds a role for a user inside a domain. Returns false if the user already has the role (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 174

def add_role_for_user_in_domain(user, role, domain)
  add_grouping_policy(user, role, domain)
end

#delete_permission(*permission) ⇒ Object

deletes a permission. Returns false if the permission does not exist (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 68

def delete_permission(*permission)
  remove_filtered_policy(1, *permission)
end

#delete_permission_for_user(user, *permission) ⇒ Object

deletes a permission for a user or role. Returns false if the user or role does not have the permission (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 80

def delete_permission_for_user(user, *permission)
  remove_policy(Util.join_slice(user, *permission))
end

#delete_permissions_for_user(user) ⇒ Object

deletes permissions for a user or role. Returns false if the user or role does not have any permissions (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 86

def delete_permissions_for_user(user)
  remove_filtered_policy(0, user)
end

#delete_role(role) ⇒ Object

deletes a role. Returns false if the role does not exist (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 60

def delete_role(role)
  res1 = remove_filtered_grouping_policy(1, role)
  res2 = remove_filtered_policy(0, role)
  res1 || res2
end

#delete_role_for_user(user, role) ⇒ Object

deletes a role for a user. Returns false if the user does not have the role (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 40

def delete_role_for_user(user, role)
  remove_grouping_policy(user, role)
end

#delete_roles_for_user(user) ⇒ Object

deletes all roles for a user. Returns false if the user does not have any roles (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 46

def delete_roles_for_user(user)
  remove_filtered_grouping_policy(0, user)
end

#delete_roles_for_user_in_domain(user, role, domain) ⇒ Object

deletes a role for a user inside a domain. Returns false if the user does not have any roles (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 180

def delete_roles_for_user_in_domain(user, role, domain)
  remove_filtered_grouping_policy(0, user, role, domain)
end

#delete_user(user) ⇒ Object

deletes a user. Returns false if the user does not exist (aka not affected).

# File 'lib/casbin-ruby/enforcer.rb', line 52

def delete_user(user)
  res1 = remove_filtered_grouping_policy(0, user)
  res2 = remove_filtered_policy(0, user)
  res1 || res2
end

#get_implicit_permissions_for_user(user, domain = nil) ⇒ Object

gets implicit permissions for a user or role. Compared to get_permissions_for_user(), this function retrieves permissions for inherited roles. For example: p, admin, data1, read p, alice, data2, read g, alice, admin get_permissions_for_user(“alice”) can only get: [[“alice”, “data2”, “read”]]. But get_implicit_permissions_for_user(“alice”) will get: [[“admin”, “data1”, “read”], [“alice”, “data2”, “read”]].

# File 'lib/casbin-ruby/enforcer.rb', line 131

def get_implicit_permissions_for_user(user, domain = nil)
  roles = get_implicit_roles_for_user(user, domain)
  roles.insert(0, user)
  res = []
  roles.each do |role|
    permissions = if domain
                    get_permissions_for_user_in_domain(role, domain)
                  else
                    get_permissions_for_user(role)
                  end

    res.concat(permissions)
  end

  res
end

#get_implicit_roles_for_user(name, domain = nil) ⇒ Object

gets implicit roles that a user has. Compared to get_roles_for_user(), this function retrieves indirect roles besides direct roles. For example: g, alice, role:admin g, role:admin, role:user get_roles_for_user(“alice”) can only get: [“role:admin”]. But get_implicit_roles_for_user(“alice”) will get: [“role:admin”, “role:user”].

# File 'lib/casbin-ruby/enforcer.rb', line 107

def get_implicit_roles_for_user(name, domain = nil)
  res = []
  queue = [name]
  while queue.size.positive?
    name = queue.delete_at(0)
    rm_map.each_value do |rm|
      rm.get_roles(name, domain).each do |r|
        res << r
        queue << r
      end
    end
  end

  res
end

#get_implicit_users_for_permission(*permission) ⇒ Object

gets implicit users for a permission. For example: p, admin, data1, read p, bob, data1, read g, alice, admin get_implicit_users_for_permission(“data1”, “read”) will get: [“alice”, “bob”]. Note: only users will be returned, roles (2nd arg in “g”) will be excluded.

# File 'lib/casbin-ruby/enforcer.rb', line 155

def get_implicit_users_for_permission(*permission)
  subjects = get_all_subjects
  roles = get_all_roles
  users = Util.set_subtract(subjects, roles)
  users.find_all { |user| enforce(*Util.join_slice(user, *permission)) }
end

#get_permissions_for_user(user) ⇒ Object

gets permissions for a user or role.

# File 'lib/casbin-ruby/enforcer.rb', line 91

def get_permissions_for_user(user)
  get_filtered_policy(0, user)
end

#get_permissions_for_user_in_domain(user, domain) ⇒ Object

gets permissions for a user or role inside domain.

# File 'lib/casbin-ruby/enforcer.rb', line 185

def get_permissions_for_user_in_domain(user, domain)
  get_filtered_policy(0, user, domain)
end

#get_roles_for_user(name) ⇒ Object

gets the roles that a user has.

# File 'lib/casbin-ruby/enforcer.rb', line 17

def get_roles_for_user(name)
  model.model['g']['g'].rm.get_roles(name)
end

#get_roles_for_user_in_domain(name, domain) ⇒ Object

gets the roles that a user has inside a domain.

# File 'lib/casbin-ruby/enforcer.rb', line 163

def get_roles_for_user_in_domain(name, domain)
  model.model['g']['g'].rm.get_roles(name, domain)
end

#get_users_for_role(name) ⇒ Object

gets the users that has a role.

# File 'lib/casbin-ruby/enforcer.rb', line 22

def get_users_for_role(name)
  model.model['g']['g'].rm.get_users(name)
end

#get_users_for_role_in_domain(name, domain) ⇒ Object

gets the users that has a role inside a domain.

# File 'lib/casbin-ruby/enforcer.rb', line 168

def get_users_for_role_in_domain(name, domain)
  model.model['g']['g'].rm.get_users(name, domain)
end

#has_permission_for_user(user, *permission) ⇒ Object

determines whether a user has a permission.

# File 'lib/casbin-ruby/enforcer.rb', line 96

def has_permission_for_user(user, *permission)
  has_policy(Util.join_slice(user, *permission))
end

#has_role_for_user(name, role) ⇒ Object

determines whether a user has a role.

# File 'lib/casbin-ruby/enforcer.rb', line 27

def has_role_for_user(name, role)
  roles = get_roles_for_user(name)
  roles.include?(role)
end