feat: fix enforce param name from enforceId to enforcerId#111
Merged
hsluoyz merged 2 commits intocasdoor:masterfrom Oct 2, 2025
Merged
feat: fix enforce param name from enforceId to enforcerId#111hsluoyz merged 2 commits intocasdoor:masterfrom
hsluoyz merged 2 commits intocasdoor:masterfrom
Conversation
Fix critical bug in enforce() and batch_enforce() methods where they use incorrect parameter name when calling Casdoor API, causing silent authorization failures for Enforcer objects. Problem: - SDK sends "enforceId" parameter (typo) - API expects "enforcerId" parameter (correct spelling) - Results in silent failures: returns false for all Enforcer checks - No exceptions raised, making it hard to debug - Security concern: appears to work but denies all access Changes: - Fix parameter name: "enforceId" → "enforcerId" in all methods - Add validation to ensure exactly one parameter is provided (API requirement) - Only send non-empty parameters to API - Update docstrings to clarify parameter usage - Apply fix to both sync and async versions - Apply fix to both enforce() and batch_enforce() methods Files changed: - src/casdoor/main.py - enforce() and batch_enforce() - src/casdoor/async_main.py - enforce() and batch_enforce() Impact: This fix enables Enforcer-based authorization to work correctly for: - Custom Casbin models with fine-grained access control - ABAC/ReBAC policies with pattern matching - Facility/attribute-based authorization - Complex authorization scenarios requiring Enforcers Testing: - Verified parameter name changed in all 4 methods - Verified validation logic added correctly - Tested against live Casdoor instance - All existing tests remain compatible (no breaking changes) Fixes casdoor#110
|
|
Reduces cyclomatic complexity of enforce methods to satisfy linter requirements (C901 complexity < 10).
hsluoyz
changed the title
github-actions bot
pushed a commit
that referenced
this pull request
Oct 2, 2025
# [1.39.0](v1.38.0...v1.39.0) (2025-10-02) ### Features * fix enforce param name from enforceId to enforcerId ([#111](#111)) ([462aefc](462aefc))
|
🎉 This PR is included in version 1.39.0 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix: #110
Problem
The
enforce()andbatch_enforce()methods in both sync and async implementations incorrectly useenforceIdas the query parameter name when calling the Casdoor API. The correct parameter name isenforcerId(note the 'r').This bug causes the enforce API to silently return
falsefor all authorization checks when using an Enforcer object, regardless of the actual policy rules. This is a security concern as it fails closed without raising any errors.Related Issue
Fixes #110
Changes
Fixed parameter name in all 4 affected methods:
src/casdoor/main.py:enforce()andbatch_enforce()src/casdoor/async_main.py:enforce()andbatch_enforce()Changed
params["enforceId"]toparams["enforcerId"]in all locations.Also added parameter validation to ensure exactly one of (permission_id, model_id, resource_id, enforce_id, owner) is provided, improving error messages when the API is called incorrectly.
Testing
Breaking Changes
None - this fixes existing broken functionality.