GetNamedImplicitUsersForResource return implicit user based on resource with named policy support. This function handles resource role relationships through named policies (e.g., g2, g3, etc.). for example: p, admin_group, admin_data, * g, admin, admin_group g2, app, admin_data GetNamedImplicitUsers
(ptype string, resource string)
| 544 | // g2, app, admin_data |
| 545 | // GetNamedImplicitUsersForResource("g2", "app") will return users who have access to admin_data through g2 relationship. |
| 546 | func (e *Enforcer) GetNamedImplicitUsersForResource(ptype string, resource string) ([][]string, error) { |
| 547 | permissions := make([][]string, 0) |
| 548 | subjectIndex, _ := e.GetFieldIndex("p", "sub") |
| 549 | objectIndex, _ := e.GetFieldIndex("p", "obj") |
| 550 | rm := e.GetRoleManager() |
| 551 | if rm == nil { |
| 552 | return nil, fmt.Errorf("role manager is not initialized") |
| 553 | } |
| 554 | |
| 555 | isRole := make(map[string]bool) |
| 556 | roles, err := e.GetAllRoles() |
| 557 | if err != nil { |
| 558 | return nil, err |
| 559 | } |
| 560 | for _, role := range roles { |
| 561 | isRole[role] = true |
| 562 | } |
| 563 | |
| 564 | // Get all resource types that the resource can access through ptype (e.g., g2) |
| 565 | ptypePolicies, _ := e.GetNamedGroupingPolicy(ptype) |
| 566 | resourceAccessibleResourceTypes := make(map[string]bool) |
| 567 | |
| 568 | for _, ptypePolicy := range ptypePolicies { |
| 569 | if ptypePolicy[0] == resource { // ptypePolicy[0] is the resource |
| 570 | resourceAccessibleResourceTypes[ptypePolicy[1]] = true // ptypePolicy[1] is the resource type it can access |
| 571 | } |
| 572 | } |
| 573 | |
| 574 | for _, rule := range e.model["p"]["p"].Policy { |
| 575 | obj := rule[objectIndex] |
| 576 | sub := rule[subjectIndex] |
| 577 | |
| 578 | // Check if this policy is directly for the resource OR for a resource type the resource can access |
| 579 | if obj == resource || resourceAccessibleResourceTypes[obj] { |
| 580 | if !isRole[sub] { |
| 581 | permissions = append(permissions, rule) |
| 582 | } else { |
| 583 | users, err := rm.GetUsers(sub) |
| 584 | if err != nil { |
| 585 | continue |
| 586 | } |
| 587 | |
| 588 | for _, user := range users { |
| 589 | implicitUserRule := deepCopyPolicy(rule) |
| 590 | implicitUserRule[subjectIndex] = user |
| 591 | permissions = append(permissions, implicitUserRule) |
| 592 | } |
| 593 | } |
| 594 | } |
| 595 | } |
| 596 | |
| 597 | res := removeDuplicatePermissions(permissions) |
| 598 | return res, nil |
| 599 | } |
| 600 | |
| 601 | // GetImplicitUsersForResourceByDomain return implicit user based on resource and domain. |
| 602 | // Compared to GetImplicitUsersForResource, domain is supported. |