casbin · Copilot · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025 · Dec 8, 2025
diff --git a/examples/abac_not_using_policy_model.conf b/examples/abac_not_using_policy_model.conf
@@ -0,0 +1,11 @@
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[policy_effect]
+e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+
+[matchers]
+m = r.sub == r.obj.Owner
diff --git a/examples/abac_rule_effect_policy.csv b/examples/abac_rule_effect_policy.csv
@@ -0,0 +1,4 @@
+p, alice, data1, read, deny
+p, alice, data1, write, allow
+p, bob, data2, write, deny
+p, bob, data2, read, allow
diff --git a/src/coreEnforcer.ts b/src/coreEnforcer.ts
@@ -426,6 +426,26 @@ export class CoreEnforcer {
     }
   }
 
+  /**
+   * Helper method to populate request parameters with JSON parsing support
+   */
+  private populateRequestParameters(parameters: { [key: string]: any }, rTokens: string[] | undefined, rvals: any[]): void {
+    if (this.acceptJsonRequest) {
+      // Attempt to parse each request parameter as JSON; continue with string if failed
+      rTokens?.forEach((token, j) => {
+        try {
+          parameters[token] = JSON.parse(rvals[j]);
+        } catch {
+          parameters[token] = rvals[j];
+        }
+      });
+    } else {
+      rTokens?.forEach((token, j): void => {
+        parameters[token] = rvals[j];
+      });
+    }
+  }
+
   private *privateEnforce(
     asyncCompile = true,
     explain = false,
@@ -479,28 +499,22 @@ export class CoreEnforcer {
 
     const effectStream = this.eft.newStream(effectExpr);
 
-    if (policyLen && policyLen !== 0) {
+    // Check if the matcher references policy tokens (e.g., p.sub, p.obj, p2.sub)
+    // Note: escapeAssertion transforms "p." to "p_", so we check for "p_" or "p<digit>_" in the escaped expression
+    // If the matcher doesn't reference policy tokens, we can skip policy iteration (no-policy ABAC)
+    const escapedPType = enforceContext.pType.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+    const policyTokenPattern = new RegExp(`${escapedPType}\\d*_`);
+    const matcherUsesPolicyTokens = policyTokenPattern.test(expString);
+
+    if (policyLen && policyLen !== 0 && matcherUsesPolicyTokens) {
       for (let i = 0; i < policyLen; i++) {
         const parameters: { [key: string]: any } = {};
 
         if (rTokens?.length !== rvals.length) {
           throw new Error(`invalid request size: expected ${rTokensLen}, got ${rvals.length}, rvals: ${rvals}"`);
         }
 
-        if (this.acceptJsonRequest) {
-          // Attempt to parse each request parameter as JSON; continue with string if failed
-          rTokens.forEach((token, j) => {
-            try {
-              parameters[token] = JSON.parse(rvals[j]);
-            } catch {
-              parameters[token] = rvals[j];
-            }
-          });
-        } else {
-          rTokens.forEach((token, j) => {
-            parameters[token] = rvals[j];
-          });
-        }
+        this.populateRequestParameters(parameters, rTokens, rvals);
 
         p?.tokens.forEach((token, j) => {
           parameters[token] = p?.policy[i][j];
@@ -572,13 +586,16 @@ export class CoreEnforcer {
         }
       }
     } else {
+      // When matcher doesn't use policy tokens or there are no policies
+      if (HasEval && !policyLen) {
+        throw new Error('please make sure rule exists in policy when using eval() in matcher');
+      }
+
       explainIndex = 0;
 
       const parameters: { [key: string]: any } = {};
 
-      rTokens?.forEach((token, j): void => {
-        parameters[token] = rvals[j];
-      });
+      this.populateRequestParameters(parameters, rTokens, rvals);
 
       p?.tokens?.forEach((token) => {
         parameters[token] = '';

diff --git a/test/enforcer.test.ts b/test/enforcer.test.ts
@@ -627,6 +627,21 @@ test('test ABAC single eval() with r. in unexpected places', async () => {
   await testEnforce(e, { id: 3 }, ({ owner: { id: 2 } } as unknown) as string, 'read', false);
 });
 
+test('test ABAC not using policy with JSON request', async () => {
+  const e = await newEnforcer('examples/abac_not_using_policy_model.conf', 'examples/abac_rule_effect_policy.csv');
+  e.enableAcceptJsonRequest(true);
+
+  const data1Json = '{ "Name": "data1", "Owner": "alice"}';
+  const data2Json = '{ "Name": "data2", "Owner": "bob"}';
+
+  // Matcher is "r.sub == r.obj.Owner" which doesn't use policy
+  // Policy file is loaded but ignored since matcher doesn't reference p.*
+  await testEnforce(e, 'alice', data1Json, 'read', true);
+  await testEnforce(e, 'alice', data1Json, 'write', true);
+  await testEnforce(e, 'alice', data2Json, 'read', false);
+  await testEnforce(e, 'alice', data2Json, 'write', false);
+});
+
 test('test escapeAssertion with string literals (issue)', async () => {
   // Test case from GitHub issue: escapeAssertion should not replace r./p. inside string literals
   const MY_RESOURCE_NAME = 'r.my_resource';

diff --git a/test/model.test.ts b/test/model.test.ts
@@ -189,6 +189,20 @@ test('TestABACModel', async () => {
   await testEnforce(e, 'bob', data2, 'write', true);
 });
 
+test('TestABACNotUsingPolicy', async () => {
+  const e = await newEnforcer('examples/abac_not_using_policy_model.conf', 'examples/abac_rule_effect_policy.csv');
+
+  const data1 = new TestResource('data1', 'alice');
+  const data2 = new TestResource('data2', 'bob');
+
+  // Matcher is "r.sub == r.obj.Owner" which doesn't use policy
+  // Policy file is loaded but ignored since matcher doesn't reference p.*
+  await testEnforce(e, 'alice', data1, 'read', true);
+  await testEnforce(e, 'alice', data1, 'write', true);
+  await testEnforce(e, 'alice', data2, 'read', false);
+  await testEnforce(e, 'alice', data2, 'write', false);
+});
+
 test('TestKeyMatchModel', async () => {
   const e = await newEnforcer('examples/keymatch_model.conf', 'examples/keymatch_policy.csv');