Exposed Casbin APIs

Introduction

Let's assume that your application's front-end has obtained the access_token of the logged-in user and now wants to authenticate the user for some access. You cannot simply place the access_token into the HTTP request header to use these APIs because Casdoor uses the Authorization field to check the access permission. Like any other APIs provided by Casdoor, the Authorization field consists of the application client id and secret, using the Basic HTTP Authentication Scheme. It looks like Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>. For this reason, Casbin APIs should be called by the application backend server. Here are the steps on how to do it.

Take the app-vue-python-example application in the demo site for example, the authorization header should be: Authorization: Basic 294b09fbc17f95daf2fe dd8982f7046ccba1bbd7851d5c1ece4e52bf039d.

The front-end passes the access_token to the backend server through the HTTP request header.
The backend server retrieves the user id from the access_token.

As a note in advance, these interfaces are also designed (for now) for the (sub, obj, act) model. The body is the request format defined by the Casbin model of the permission, usually representing sub, obj and act respectively.

In addition to the API interface for requesting enforcement of permission control, Casdoor also provides other interfaces that help external applications obtain permission policy information, which is also listed here.

Enforce

The Enforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:

permissionId: The identity of a specific permission policy (format: organization name/permission name)
modelId: The identity of a permission model (format: organization name/model name) - enforces against all permissions using this model
resourceId: The identity of a resource - enforces against all permissions for this resource
enforcerId: The identity of a specific enforcer
owner: The organization name - enforces against all permissions in this organization

Request using permissionId:

curl --location --request POST 'http://localhost:8000/api/enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'

Request using modelId:

curl --location --request POST 'http://localhost:8000/api/enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'

Request using resourceId:

curl --location --request POST 'http://localhost:8000/api/enforce?resourceId=example-org/example-resource' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'

Response:

{
    "status": "ok",
    "msg": "",
    "sub": "",
    "name": "",
    "data": [
        true
    ],
    "data2": [
        "example-org/example-model/example-adapter"
    ]
}

Note: When using modelId, resourceId, enforcerId, or owner parameters, the response data array may contain multiple boolean values (one for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.

BatchEnforce

The BatchEnforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:

permissionId: The identity of a specific permission policy (format: organization name/permission name)
modelId: The identity of a permission model (format: organization name/model name) - enforces against all permissions using this model
enforcerId: The identity of a specific enforcer
owner: The organization name - enforces against all permissions in this organization

Request using permissionId:

curl --location --request POST 'http://localhost:8000/api/batch-enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"], ["example-org/example-user3", "example-resource", "example-action"]]'

Request using modelId:

curl --location --request POST 'http://localhost:8000/api/batch-enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"]]'

Response:

{
    "status": "ok",
    "msg": "",
    "sub": "",
    "name": "",
    "data": [
        [
            true,
            true,
            false
        ]
    ],
    "data2": [
        "example-org/example-model/example-adapter"
    ]
}

Note: When using modelId, enforcerId, or owner parameters, the response data array may contain multiple arrays of boolean values (one array for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.

GetAllObjects

This API retrieves all objects (resources) that a user has access to. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.

Request with userId parameter:

curl --location --request GET 'http://localhost:8000/api/get-all-objects?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Request using session (userId determined from session):

curl --location --request GET 'http://localhost:8000/api/get-all-objects' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Response:

{
    "status": "ok",
    "msg": "",
    "data": [
        "app-built-in",
        "example-resource"
    ]
}

GetAllActions

This API retrieves all actions that a user can perform. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.

Request with userId parameter:

curl --location --request GET 'http://localhost:8000/api/get-all-actions?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Request using session (userId determined from session):

curl --location --request GET 'http://localhost:8000/api/get-all-actions' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Response:

{
    "status": "ok",
    "msg": "",
    "data": [
        "read",
        "write",
        "admin"
    ]
}

GetAllRoles

This API retrieves all roles assigned to a user. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.

Request with userId parameter:

curl --location --request GET 'http://localhost:8000/api/get-all-roles?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Request using session (userId determined from session):

curl --location --request GET 'http://localhost:8000/api/get-all-roles' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'

Response:

{
    "status": "ok",
    "msg": "",
    "data": [
        "role_kcx66l"
    ]
}

Introduction​

Enforce​

BatchEnforce​

GetAllObjects​

GetAllActions​

GetAllRoles​

Introduction

Enforce

BatchEnforce

GetAllObjects

GetAllActions

GetAllRoles