This is the model.conf I'm using:
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
g2 = _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && regexMatch(r.act, p.act)
This is the relevant policy (The users can read their own posts, and admins can read all posts.):
p, admin, /posts/:id/attachments, GET, allow
p, alice, /posts/1/attachments, GET, allow
g, bob, admin
g2, /files/1.jpg, /posts/1/attachments
The result of these requests are expected to be true:
alice, /files/1.jpg, GET
bob, /files/1.jpg, GET
Currently, I can make the policy work by adding the rule g, /posts/1/attachments, /posts/:id/attachments, but I want to know whether it's possible to match these role names by pattern, so that I wouldn't have to create a rule for every post.
(The closest example I found is the AddNamedMatchingFunc("g","KeyMatch2",util.KeyMatch2) method, and I tried to use it on g2, but it seems that it only matches the pattern on r.obj and the roles.)
The 2nd arg of
gis not supported to be pattern. But here's a workaround to use multiplegto have the same effect:is the same as: