fix: compatible RBAC in ABAC

enforcer.go

@@ -437,7 +437,11 @@ func (e *Enforcer) enforce(matcher string, explains *[]string, rvals ...interfac
 				for _, ruleName := range ruleNames {
 					if j, ok := parameters.pTokens[ruleName]; ok {
 						rule := util.EscapeAssertion(pvals[j])
-						expWithRule = util.ReplaceEval(expWithRule, rule)
+						if strings.Contains(rule, ">") || strings.Contains(rule, "<") || strings.Contains(rule, "=") {
+							expWithRule = util.ReplaceEval(expWithRule, rule)
+						} else {
+							expWithRule = util.ReplaceEval(expWithRule, "false")
+						}
 					} else {
 						return false, errors.New("please make sure rule exists in policy when using eval() in matcher")
 					}

examples/abac_with_rbac.conf

@@ -0,0 +1,14 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act
+
+[policy_effect]
+e = some(where (p.eft == allow))
+
+[role_definition]
+g = _, _
+
+[matchers]
+m = (g(r.sub, p.sub) || eval(p.sub)) && r.act == p.act

examples/abac_with_rbac.csv

@@ -0,0 +1,4 @@
+p, admin, post, write
+p, r.sub == r.obj.Author, post, write
+
+g, alice, admin

model_test.go

@@ -561,6 +561,32 @@ func TestABACPolicy(t *testing.T) {
 	testEnforce(t, e, sub3, "/data2", "write", false)
 }
 
+type testAuthor struct {
+	Author string
+}
+
+func newTestAuthor(name string) testAuthor {
+	s := testAuthor{}
+	s.Author = name
+	return s
+}
+
+func TestABACWithRBACPolicy(t *testing.T) {
+	e, _ := NewEnforcer("examples/abac_with_rbac.conf", "examples/abac_with_rbac.csv")
+
+	post := newTestAuthor("bob")
+
+	ok, err := e.Enforce("alice", post, "write")
+	if err != nil || ok != true {
+		t.Fatal("expected Enforce returns true, nil, but got", ok, err)
+	}
+
+	ok, err = e.Enforce("bob", post, "write")
+	if err != nil || ok != true {
+		t.Fatal("expected Enforce returns true, nil, but got", ok, err)
+	}
+}
+
 func TestCommentModel(t *testing.T) {
 	e, _ := NewEnforcer("examples/comment_model.conf", "examples/basic_policy.csv")
 	testEnforce(t, e, "alice", "data1", "read", true)