【Video tutorial recommendation: nodejs tutorial】
Overview
Casbin is a powerful and efficient open source access control framework whose permission management mechanism supports multiple access control models.
What is Casbin?
Casbin can:
- Supports custom request format, the default request format is {subject, object, action}.
- It has two core concepts: access control model model and policy policy.
- Supports multi-level role inheritance in RBAC. Not only subjects can have roles, but resources can also have roles.
- Supports super users, such as root or Administrator, who can access any resources without being restricted by authorization policies.
- Supports a variety of built-in operators, such as keyMatch, to facilitate management of path-based resources, such as /foo/bar can be mapped to /foo*
Casbin cannot:
- Identity authentication (that is, verifying the user's user name and password), casbin is only responsible for access control. There should be other specialized components responsible for identity authentication, and then casbin should perform access control. The two work together.
- Manage user list or role list. Casbin believes that it is more appropriate for the project itself to manage the user and role lists. Users usually have their passwords, but Casbin is not designed to be a container for storing passwords. Instead, it stores the mapping relationship between users and roles in the RBAC scheme.
Documentation
casbin.org/docs/en/overview
Installation
# NPMnpm install casbin --save# Yarnyarn add casbin
Let’s get started
Creating Casbin enforcer requires a model file and policy file as parameters:
import { newEnforcer } from 'casbin';const enforcer = await newEnforcer('basic_model.conf', 'basic_policy.csv'); You can also initialize the enforcer with the policy in the DB instead of the file, see Adapter for details.
const sub = 'alice'; // 想要访问资源的用户。const obj = 'data1'; // 将要访问的资源。const act = 'read'; // 用户对资源执行的操作。const res = await enforcer.enforce(sub, obj, act);if (res) {
// 允许 alice 读取数据1} else {
// 拒绝请求,显示错误}
In addition to static policy files, node-casbin also provides an API for permission management at runtime, for example, you can obtain all roles assigned to a user as follows:
const roles = await enforcer.getRolesForUser('alice');
Please refer to Management API and RBAC API for more usage methods.
Working Principle
In Casbin, the access control model is abstracted into a file based on PERM (Policy, Effect, Request, Matcher) . Therefore, switching or upgrading a project's authorization mechanism is as simple as modifying the configuration. You can customize your own access control model by combining the available models. For example, you can have RBAC roles and ABAC attributes in one model and share a set of policy rules.
The most basic and simple model in Casbin is ACL. The model CONF in ACL is:
# Request definition[request_definition]r = sub, obj, act # Policy definition[policy_definition]p = sub, obj, act # Policy effect[policy_effect]e = some(where (p.eft == allow))# Matchers[matchers]m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
The example policy of ACL model is as follows:
p, alice, data1, read p, bob, data2, write
This means:
- alice can read data1
- bob can write data2
For too long single-line configuration, you can also break the line by adding '' at the end:
# Matchers[matchers]m = r.sub == p.sub && r.obj == p.obj \ && r.act == p.act
In addition, for ABAC, you can use Casbin golang version Try the following (not yet supported by jCasbin and Node-Casbin) operation:
# Matchers[matchers]m = r.obj == p.obj && r.act == p.act || r.obj in ('data2', 'data3')
But you should ensure that the length of the array is greater than 1, otherwise it will cause panic.
For more operations, you can check out govaluate.
For more programming-related knowledge, please visit: Introduction to Programming! !
The above is the detailed content of Learn about Node.js Casbin. For more information, please follow other related articles on the PHP Chinese website!
From C/C to JavaScript: How It All WorksApr 14, 2025 am 12:05 AMThe shift from C/C to JavaScript requires adapting to dynamic typing, garbage collection and asynchronous programming. 1) C/C is a statically typed language that requires manual memory management, while JavaScript is dynamically typed and garbage collection is automatically processed. 2) C/C needs to be compiled into machine code, while JavaScript is an interpreted language. 3) JavaScript introduces concepts such as closures, prototype chains and Promise, which enhances flexibility and asynchronous programming capabilities.
JavaScript Engines: Comparing ImplementationsApr 13, 2025 am 12:05 AMDifferent JavaScript engines have different effects when parsing and executing JavaScript code, because the implementation principles and optimization strategies of each engine differ. 1. Lexical analysis: convert source code into lexical unit. 2. Grammar analysis: Generate an abstract syntax tree. 3. Optimization and compilation: Generate machine code through the JIT compiler. 4. Execute: Run the machine code. V8 engine optimizes through instant compilation and hidden class, SpiderMonkey uses a type inference system, resulting in different performance performance on the same code.
Beyond the Browser: JavaScript in the Real WorldApr 12, 2025 am 12:06 AMJavaScript's applications in the real world include server-side programming, mobile application development and Internet of Things control: 1. Server-side programming is realized through Node.js, suitable for high concurrent request processing. 2. Mobile application development is carried out through ReactNative and supports cross-platform deployment. 3. Used for IoT device control through Johnny-Five library, suitable for hardware interaction.
Building a Multi-Tenant SaaS Application with Next.js (Backend Integration)Apr 11, 2025 am 08:23 AMI built a functional multi-tenant SaaS application (an EdTech app) with your everyday tech tool and you can do the same. First, what’s a multi-tenant SaaS application? Multi-tenant SaaS applications let you serve multiple customers from a sing
How to Build a Multi-Tenant SaaS Application with Next.js (Frontend Integration)Apr 11, 2025 am 08:22 AMThis article demonstrates frontend integration with a backend secured by Permit, building a functional EdTech SaaS application using Next.js. The frontend fetches user permissions to control UI visibility and ensures API requests adhere to role-base
JavaScript: Exploring the Versatility of a Web LanguageApr 11, 2025 am 12:01 AMJavaScript is the core language of modern web development and is widely used for its diversity and flexibility. 1) Front-end development: build dynamic web pages and single-page applications through DOM operations and modern frameworks (such as React, Vue.js, Angular). 2) Server-side development: Node.js uses a non-blocking I/O model to handle high concurrency and real-time applications. 3) Mobile and desktop application development: cross-platform development is realized through ReactNative and Electron to improve development efficiency.
The Evolution of JavaScript: Current Trends and Future ProspectsApr 10, 2025 am 09:33 AMThe latest trends in JavaScript include the rise of TypeScript, the popularity of modern frameworks and libraries, and the application of WebAssembly. Future prospects cover more powerful type systems, the development of server-side JavaScript, the expansion of artificial intelligence and machine learning, and the potential of IoT and edge computing.
Demystifying JavaScript: What It Does and Why It MattersApr 09, 2025 am 12:07 AMJavaScript is the cornerstone of modern web development, and its main functions include event-driven programming, dynamic content generation and asynchronous programming. 1) Event-driven programming allows web pages to change dynamically according to user operations. 2) Dynamic content generation allows page content to be adjusted according to conditions. 3) Asynchronous programming ensures that the user interface is not blocked. JavaScript is widely used in web interaction, single-page application and server-side development, greatly improving the flexibility of user experience and cross-platform development.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
Atom editor mac version download
The most popular open source editor
SublimeText3 Linux new version
SublimeText3 Linux latest version
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
