RBAC via casbin

config/casbin/model.conf

@@ -0,0 +1,24 @@
+# Casbin access model for the storefront.
+#
+# Request is (subject, object, action) = (role, request-path, HTTP-method);
+# axum-casbin supplies path + method automatically and the subject comes from
+# our JWT-derived CasbinVals (see src/shared/rbac.rs).
+#
+# Deny-override: every request is allowed unless a matching policy line marks it
+# `deny`. That keeps the public storefront fully open and lets the policy file
+# carve out the protected `/admin/*` subtree for non-admins only.
+
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = !some(where (p.eft == deny))
+
+[matchers]
+m = (r.sub == p.sub || g(r.sub, p.sub)) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)