feat: check model grammar when saving and provide a ACL model as init data (#1062 )

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com> Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
feat: fix token info not contains roles and permissions (#1060 )
2025-07-09 01:13:41 +08:00 · 2022-08-24 17:21:05 +08:00 · 2022-08-24 01:41:26 +08:00
5 changed files with 53 additions and 8 deletions
--- a/controllers/user.go
+++ b/controllers/user.go
@ -119,12 +119,7 @@ func (c *ApiController) GetUser() {
 		user = object.GetUser(id)
 	}

-	if user != nil {
-		roles := object.GetRolesByUser(user.GetId())
-		user.Roles = roles
-		permissions := object.GetPermissionsByUser(user.GetId())
-		user.Permissions = permissions
-	}
+	object.ExtendUserWithRolesAndPermissions(user)

 	c.Data["json"] = object.GetMaskedUser(user)
 	c.ServeJSON()
--- a/object/init.go
+++ b/object/init.go
@ -27,6 +27,7 @@ import (
 func InitDb() {
 	existed := initBuiltInOrganization()
 	if !existed {
+		initBuiltInModel()
 		initBuiltInPermission()
 		initBuiltInProvider()
 		initBuiltInUser()
@ -239,6 +240,33 @@ func initWebAuthn() {
 	gob.Register(webauthn.SessionData{})
 }

+func initBuiltInModel() {
+	model := GetModel("built-in/model-built-in")
+	if model != nil {
+		return
+	}
+
+	model = &Model{
+		Owner:       "built-in",
+		Name:        "model-built-in",
+		CreatedTime: util.GetCurrentTime(),
+		DisplayName: "Built-in Model",
+		IsEnabled:   true,
+		ModelText: `[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[matchers]
+m = r.sub == p.sub && r.obj == p.obj && r.act == p.act`,
+	}
+	AddModel(model)
+}
+
 func initBuiltInPermission() {
 	permission := GetPermission("built-in/permission-built-in")
 	if permission != nil {
@ -253,6 +281,7 @@ func initBuiltInPermission() {
 		Users:        []string{"built-in/admin"},
 		Roles:        []string{},
 		Domains:      []string{},
+		Model:        "model-built-in",
 		ResourceType: "Application",
 		Resources:    []string{"app-built-in"},
 		Actions:      []string{"Read", "Write", "Admin"},
--- a/object/model.go
+++ b/object/model.go
@ -17,6 +17,7 @@ package object
 import (
 	"fmt"

+	"github.com/casbin/casbin/v2/model"
 	"github.com/casdoor/casdoor/util"
 	"xorm.io/core"
 )
@ -85,13 +86,19 @@ func GetModel(id string) *Model {
 	return getModel(owner, name)
 }

-func UpdateModel(id string, model *Model) bool {
+func UpdateModel(id string, modelObj *Model) bool {
 	owner, name := util.GetOwnerAndNameFromId(id)
 	if getModel(owner, name) == nil {
 		return false
 	}

-	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(model)
+	// check model grammar
+	_, err := model.NewModelFromString(modelObj.ModelText)
+	if err != nil {
+		panic(err)
+	}
+
+	affected, err := adapter.Engine.ID(core.PK{owner, name}).AllCols().Update(modelObj)
 	if err != nil {
 		panic(err)
 	}
--- a/object/token.go
+++ b/object/token.go
@ -287,6 +287,7 @@ func GetOAuthCode(userId string, clientId string, responseType string, redirectU
 		}
 	}

+	ExtendUserWithRolesAndPermissions(user)
 	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, nonce, scope, host)
 	if err != nil {
 		panic(err)
@ -421,6 +422,7 @@ func RefreshToken(grantType string, refreshToken string, scope string, clientId
 		}
 	}

+	ExtendUserWithRolesAndPermissions(user)
 	newAccessToken, newRefreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		return &TokenError{
@ -571,6 +573,7 @@ func GetPasswordToken(application *Application, username string, password string
 		}
 	}

+	ExtendUserWithRolesAndPermissions(user)
 	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		return nil, &TokenError{
@ -640,6 +643,7 @@ func GetClientCredentialsToken(application *Application, clientSecret string, sc
 // GetTokenByUser
 // Implicit flow
 func GetTokenByUser(application *Application, user *User, scope string, host string) (*Token, error) {
+	ExtendUserWithRolesAndPermissions(user)
 	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", scope, host)
 	if err != nil {
 		return nil, err
@ -726,6 +730,7 @@ func GetWechatMiniProgramToken(application *Application, code string, host strin
 		AddUser(user)
 	}

+	ExtendUserWithRolesAndPermissions(user)
 	accessToken, refreshToken, tokenName, err := generateJwtToken(application, user, "", "", host)
 	if err != nil {
 		return nil, &TokenError{
--- a/object/user.go
+++ b/object/user.go
@ -566,3 +566,12 @@ func (user *User) GetId() string {
 func isUserIdGlobalAdmin(userId string) bool {
 	return strings.HasPrefix(userId, "built-in/")
 }
+
+func ExtendUserWithRolesAndPermissions(user *User) {
+	if user == nil {
+		return
+	}
+
+	user.Roles = GetRolesByUser(user.GetId())
+	user.Permissions = GetPermissionsByUser(user.GetId())
+}