casdoor/casdoor

[Error] Casbin Permissions Not Working When Auto-login is Enabled

Opened this issue · 0 comments

Description: When auto-login is enabled in an application, initiating an authorized login from the application login page can bypass the Casbin deny policy, allowing access directly without enforcing the intended restrictions.

Steps to Reproduce:

Enable auto-login in the application, such as in the Nightingale application.
In Casbin, create a new permission and set Nightingale to "deny."
Attempt to initiate an authorized login from the application's login page.
You'll find that the account is logged in automatically without any error message, indicating an issue.
Disable auto-login in the application.
Try logging in again.
This time, an "Unauthorized Access" error appears, which is the expected behavior.

image
image