Support wildcard domains in getImplicitPermissionsForUser and getImplicitRolesForUser

[Copilot]

getImplicitPermissionsForUser() and getImplicitRolesForUser() only matched exact domains, failing to retrieve roles/permissions defined with wildcard domain (*). This prevented role hierarchy patterns where abstract roles define permissions globally and concrete roles inherit them per-domain.

Changes

Extended domain matching logic:

• getImplicitRolesForUser() now queries both the specific domain and wildcard domain *
• getImplicitPermissionsForUser() now retrieves policies from both the specific domain and wildcard domain *

This aligns with the matcher behavior: g(r.sub, p.sub, r.dom) || g(r.sub, p.sub, '*')

Example

With this setup:

# Abstract role with wildcard domain
p, abstract_role, *, resource, read

# Role hierarchy
g, concrete_role, abstract_role, tenant1
g, user, concrete_role, tenant1

Previously:

await enforcer.getImplicitPermissionsForUser('user', 'tenant1');
// Returns: []

Now:

await enforcer.getImplicitPermissionsForUser('user', 'tenant1');
// Returns: [['abstract_role', '*', 'resource', 'read']]

Original prompt

---

This section details on the original issue you should resolve

<issue_title>How to do Role hierarchy with domain using casbin</issue_title>
<issue_description>Hi for my usage,I need to setup casbin with role hierarchy to avoid duplication beetwen domain.

Example of policies

### Define global user role permissions
p, abstract_roles1, devis, read, *
p, abstract_roles1, devis, create, *

p, abstract_roles2, devis, read, *
p, abstract_roles2, organization, read, *
p, abstract_roles2, organization, write, *


### Define role inheritance
g, roles1, abstract_roles1, tenant1
g, roles1, abstract_roles1, tenant2
g, roles1, abstract_roles1, tenant3

g, roles2, abstract_roles2, tenant1
g, roles2, abstract_roles2, tenant2
g, roles2, abstract_roles2, tenant3

g, super_user, abstract_roles2, *

### Assign users to roles
g, michael, roles1, tenant1
g, antoine, roles1, tenant2
g, kevin, roles1, tenant3

g, thomas, roles2, tenant1
g, thomas, roles2, tenant2
g, lucie, roles2, tenant3

g, theo, super_user, *

Example of configuration

[request_definition]
r = sub, obj, act, dom

[policy_definition]
p = sub, obj, act, dom, eft

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = (g(r.sub, p.sub, r.dom) || g(r.sub, p.sub, '*')) && (p.dom == '*' || r.dom == p.dom) && r.obj == p.obj && r.act == p.act

Is this method the best approach, or are there alternative methods available? How can I retrieve all permissions for a user using this library?

Currently, this.enforcer.getImplicitPermissionsForUser() is not functioning as intended.</issue_description>

Comments on the Issue (you are @copilot in this section)

@mserico don't modify yarn.lock

• Fixes How to do Role hierarchy with domain using casbin #481

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coveralls]

Pull Request Test Coverage Report for Build 20072651589

Details

• 13 of 13 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.09%) to 78.387%

---

Totals
Change from base Build 20035255537:	0.09%
Covered Lines:	1638
Relevant Lines:	1990

---

💛 - Coveralls