25 lines
749 B
Plaintext
25 lines
749 B
Plaintext
# Casbin access model for the storefront.
|
|
#
|
|
# Request is (subject, object, action) = (role, request-path, HTTP-method);
|
|
# axum-casbin supplies path + method automatically and the subject comes from
|
|
# our JWT-derived CasbinVals (see src/shared/rbac.rs).
|
|
#
|
|
# Deny-override: every request is allowed unless a matching policy line marks it
|
|
# `deny`. That keeps the public storefront fully open and lets the policy file
|
|
# carve out the protected `/admin/*` subtree for non-admins only.
|
|
|
|
[request_definition]
|
|
r = sub, obj, act
|
|
|
|
[policy_definition]
|
|
p = sub, obj, act, eft
|
|
|
|
[role_definition]
|
|
g = _, _
|
|
|
|
[policy_effect]
|
|
e = !some(where (p.eft == deny))
|
|
|
|
[matchers]
|
|
m = (r.sub == p.sub || g(r.sub, p.sub)) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)
|