公開されているCasbin API
はじめに
あなたのアプリケーションのフロントエンドがログインしているユーザーのaccess_tokenを取得し、いくつかのアクセスのためにユーザーを認証したいとしましょう。 これらのAPIを使用するためにHTTPリクエストヘッダーにaccess_tokenを単純に配置することはできません。なぜならCasdoorはアクセス許可をチェックするためにAuthorizationフィールドを使用するからです。 Casdoorによって提供される他のAPIと同様に、AuthorizationフィールドはアプリケーションクライアントIDとシークレットで構成され、Basic HTTP Authentication Schemeを使用します。 それはAuthorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>のように見えます。 この理由から、Casbin APIはアプリケーションのバックエンドサーバーによって呼び出されるべきです。 それを行う手順はこちらです。
例としてデモサイトのapp-vue-python-exampleアプリケーションを取り上げると、認証ヘッダーは次のようになります:Authorization: Basic 294b09fbc17f95daf2fe dd8982f7046ccba1bbd7851d5c1ece4e52bf039d。
- フロントエンドはHTTPリクエストヘッダーを通じて
access_tokenをバックエンドサーバーに渡します。 - バックエンドサーバーは
access_tokenからユーザーIDを取得します。
事前に注意しておくと、これらのインターフェースは(今のところ)(sub, obj, act)モデル用にも設計されています。 ボディは、権限のCasbinモデルによって定義されたリクエストフォーマットで、通常はそれぞれsub、obj、actを表します。
権限制御の強制を要求するAPIインターフェースに加えて、Casdoorは外部アプリケーションが権限ポリシー情報を取得するのを助ける他のインターフェースも提供しており、ここにもリストされています。
強制
The Enforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:
permissionId: The identity of a specific permission policy (format:organization name/permission name)modelId: The identity of a permission model (format:organization name/model name) - enforces against all permissions using this modelresourceId: The identity of a resource - enforces against all permissions for this resourceenforcerId: The identity of a specific enforcerowner: The organization name - enforces against all permissions in this organization
Request using permissionId:
curl --location --request POST 'http://localhost:8000/api/enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Request using modelId:
curl --location --request POST 'http://localhost:8000/api/enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Request using resourceId:
curl --location --request POST 'http://localhost:8000/api/enforce?resourceId=example-org/example-resource' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '["example-org/example-user", "example-resource", "example-action"]'
Response:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
true
],
"data2": [
"example-org/example-model/example-adapter"
]
}
Note: When using modelId, resourceId, enforcerId, or owner parameters, the response data array may contain multiple boolean values (one for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.
BatchEnforce
The BatchEnforce API supports multiple query parameters to specify which permission(s) to enforce against. Only one parameter should be provided at a time:
permissionId: The identity of a specific permission policy (format:organization name/permission name)modelId: The identity of a permission model (format:organization name/model name) - enforces against all permissions using this modelenforcerId: The identity of a specific enforcerowner: The organization name - enforces against all permissions in this organization
Request using permissionId:
curl --location --request POST 'http://localhost:8000/api/batch-enforce?permissionId=example-org/example-permission' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"], ["example-org/example-user3", "example-resource", "example-action"]]'
Request using modelId:
curl --location --request POST 'http://localhost:8000/api/batch-enforce?modelId=example-org/example-model' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>' \
--data-raw '[["example-org/example-user", "example-resource", "example-action"], ["example-org/example-user2", "example-resource", "example-action"]]'
レスポンス:
{
"status": "ok",
"msg": "",
"sub": "",
"name": "",
"data": [
[
true,
true,
false
]
],
"data2": [
"example-org/example-model/example-adapter"
]
}
Note: When using modelId, enforcerId, or owner parameters, the response data array may contain multiple arrays of boolean values (one array for each permission that was checked), and data2 contains the corresponding model and adapter identifiers.
GetAllObjects
This API retrieves all objects (resources) that a user has access to. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-objects?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-objects' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
レスポンス:
{
"status": "ok",
"msg": "",
"data": [
"app-built-in",
"example-resource"
]
}
GetAllActions
This API retrieves all actions that a user can perform. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-actions?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-actions' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
レスポンス:
{
"status": "ok",
"msg": "",
"data": [
"read",
"write",
"admin"
]
}
GetAllRoles
This API retrieves all roles assigned to a user. It accepts an optional userId parameter. If not provided, it uses the logged-in user's session.
Request with userId parameter:
curl --location --request GET 'http://localhost:8000/api/get-all-roles?userId=example-org/example-user' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Request using session (userId determined from session):
curl --location --request GET 'http://localhost:8000/api/get-all-roles' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
レスポンス:
{
"status": "ok",
"msg": "",
"data": [
"role_kcx66l"
]
}
RunCasbinCommand
This API executes Casbin CLI commands and returns their output. It's designed for running language-specific Casbin command-line tools through Casdoor's backend, supporting languages like Java, Go, Node.js, Python, and others.
The API includes an in-memory cache that stores command results for 5 minutes. When the same command is executed with identical parameters, the cached result is returned immediately without re-executing the command, improving response times and reducing server load.
Request:
curl --location --request GET 'http://localhost:8000/api/run-casbin-command?language=go&args=["-v"]' \
--header 'Authorization: Basic <Your_Application_ClientId> <Your_Application_ClientSecret>'
Parameters:
language: The programming language for the Casbin CLI (e.g.,go,java,node,python)args: A JSON-encoded array of command-line arguments (e.g.,["-v"]for version,["new"]for creating new files). Note: URL-encode the JSON array when using it as a query parameter
Response:
{
"status": "ok",
"msg": "",
"data": "casbin version 2.x.x"
}
The cache key is generated from the language and arguments, so different commands are cached independently. Expired entries are automatically cleaned up to prevent memory growth.