diff --git a/controllers/casbin_api.go b/controllers/casbin_api.go
index cede5b769a1d..0da84419e75c 100644
--- a/controllers/casbin_api.go
+++ b/controllers/casbin_api.go
@@ -243,7 +243,13 @@ func (c *ApiController) GetAllObjects() {
return
}
- c.ResponseOk(object.GetAllObjects(userId))
+ objects, err := object.GetAllObjects(userId)
+ if err != nil {
+ c.ResponseError(err.Error())
+ return
+ }
+
+ c.ResponseOk(objects)
}
func (c *ApiController) GetAllActions() {
@@ -253,7 +259,13 @@ func (c *ApiController) GetAllActions() {
return
}
- c.ResponseOk(object.GetAllActions(userId))
+ actions, err := object.GetAllActions(userId)
+ if err != nil {
+ c.ResponseError(err.Error())
+ return
+ }
+
+ c.ResponseOk(actions)
}
func (c *ApiController) GetAllRoles() {
@@ -263,5 +275,11 @@ func (c *ApiController) GetAllRoles() {
return
}
- c.ResponseOk(object.GetAllRoles(userId))
+ roles, err := object.GetAllRoles(userId)
+ if err != nil {
+ c.ResponseError(err.Error())
+ return
+ }
+
+ c.ResponseOk(roles)
}
diff --git a/object/permission.go b/object/permission.go
index c9641304f17f..5790d1a01251 100644
--- a/object/permission.go
+++ b/object/permission.go
@@ -120,7 +120,11 @@ func checkPermissionValid(permission *Permission) error {
return nil
}
- groupingPolicies := getGroupingPolicies(permission)
+ groupingPolicies, err := getGroupingPolicies(permission)
+ if err != nil {
+ return err
+ }
+
if len(groupingPolicies) > 0 {
_, err = enforcer.AddGroupingPolicies(groupingPolicies)
if err != nil {
diff --git a/object/permission_enforcer.go b/object/permission_enforcer.go
index dc9defa47df9..6fe3354b684a 100644
--- a/object/permission_enforcer.go
+++ b/object/permission_enforcer.go
@@ -23,6 +23,7 @@ import (
"github.com/casbin/casbin/v2/log"
"github.com/casbin/casbin/v2/model"
"github.com/casdoor/casdoor/conf"
+ "github.com/casdoor/casdoor/util"
xormadapter "github.com/casdoor/xorm-adapter/v3"
)
@@ -137,6 +138,16 @@ func getPolicies(permission *Permission) [][]string {
}
func getRolesInRole(roleId string, visited map[string]struct{}) ([]*Role, error) {
+ roleOwner, roleName := util.GetOwnerAndNameFromId(roleId)
+ if roleName == "*" {
+ roles, err := GetRoles(roleOwner)
+ if err != nil {
+ return []*Role{}, err
+ }
+
+ return roles, nil
+ }
+
role, err := GetRole(roleId)
if err != nil {
return []*Role{}, err
@@ -162,7 +173,7 @@ func getRolesInRole(roleId string, visited map[string]struct{}) ([]*Role, error)
return roles, nil
}
-func getGroupingPolicies(permission *Permission) [][]string {
+func getGroupingPolicies(permission *Permission) ([][]string, error) {
var groupingPolicies [][]string
domainExist := len(permission.Domains) > 0
@@ -170,12 +181,18 @@ func getGroupingPolicies(permission *Permission) [][]string {
for _, roleId := range permission.Roles {
visited := map[string]struct{}{}
+
+ if roleId == "*" {
+ roleId = util.GetId(permission.Owner, "*")
+ }
+
rolesInRole, err := getRolesInRole(roleId, visited)
if err != nil {
- panic(err)
+ return nil, err
}
+
for _, role := range rolesInRole {
- roleId := role.GetId()
+ roleId = role.GetId()
for _, subUser := range role.Users {
if domainExist {
for _, domain := range permission.Domains {
@@ -198,7 +215,7 @@ func getGroupingPolicies(permission *Permission) [][]string {
}
}
- return groupingPolicies
+ return groupingPolicies, nil
}
func addPolicies(permission *Permission) error {
@@ -231,7 +248,10 @@ func addGroupingPolicies(permission *Permission) error {
return err
}
- groupingPolicies := getGroupingPolicies(permission)
+ groupingPolicies, err := getGroupingPolicies(permission)
+ if err != nil {
+ return err
+ }
if len(groupingPolicies) > 0 {
_, err = enforcer.AddGroupingPolicies(groupingPolicies)
@@ -249,7 +269,10 @@ func removeGroupingPolicies(permission *Permission) error {
return err
}
- groupingPolicies := getGroupingPolicies(permission)
+ groupingPolicies, err := getGroupingPolicies(permission)
+ if err != nil {
+ return err
+ }
if len(groupingPolicies) > 0 {
_, err = enforcer.RemoveGroupingPolicies(groupingPolicies)
@@ -287,7 +310,12 @@ func getAllValues(userId string, fn func(enforcer *casbin.Enforcer) []string) ([
return nil, err
}
- for _, role := range GetAllRoles(userId) {
+ allRoles, err := GetAllRoles(userId)
+ if err != nil {
+ return nil, err
+ }
+
+ for _, role := range allRoles {
permissionsByRole, err := GetPermissionsByRole(role)
if err != nil {
return nil, err
@@ -321,17 +349,17 @@ func GetAllActions(userId string) ([]string, error) {
})
}
-func GetAllRoles(userId string) []string {
+func GetAllRoles(userId string) ([]string, error) {
roles, err := getRolesByUser(userId)
if err != nil {
- panic(err)
+ return nil, err
}
- var res []string
+ res := []string{}
for _, role := range roles {
res = append(res, role.Name)
}
- return res
+ return res, nil
}
func GetBuiltInModel(modelText string) (model.Model, error) {
diff --git a/web/src/PermissionEditPage.js b/web/src/PermissionEditPage.js
index 75cd40071047..73b27189baa4 100644
--- a/web/src/PermissionEditPage.js
+++ b/web/src/PermissionEditPage.js
@@ -303,7 +303,7 @@ class PermissionEditPage extends React.Component {
{Setting.getLabel(i18next.t("role:Sub roles"), i18next.t("role:Sub roles - Tooltip"))} :
-